Authentication
How authentication works—auth modes, JWT vs API keys, and when to use each.
Overview
The API supports two authentication methods:
| Method | Use case | Header |
|---|---|---|
| JWT (Bearer) | Interactive users, Swagger, short-lived sessions | Authorization: Bearer <token> |
| API key | Service-to-service, scripts, long-lived programmatic access | X-Api-Key: <key> |
Both require tenant context: X-Tenant-Id and X-Environment. With an API key, those headers are required and must match the key’s tenant and environment. See Required Headers for details.
Auth modes
The server AUTH_MODE setting controls how JWTs are validated. Documented platform integration uses Keycloak:
| Mode | JWT source | When to use |
|---|---|---|
| keycloak | POST /auth/token → Keycloak access token | Production and typical development with Keycloak. |
| both | Try Keycloak first, then symmetric JWT where applicable | Migration or mixed environments. |
Other AUTH_MODE values may exist for legacy or internal tooling; they are not part of the external integration path. Use Keycloak and token exchange as described in Token Exchange.
Use POST /auth/token with username and password to obtain a Keycloak access token, then send it as Authorization: Bearer <access_token> on business APIs.
JWT flow
- Obtain a token — Token exchange (
POST /auth/tokenwith Keycloak credentials). - Include in requests —
Authorization: Bearer <access_token> - Token contains —
tenant_id,environment,user_id,roles,permissions. The API validates the tenant and user against the database. See Users for provisioning.
JWT expiry follows Keycloak and your realm settings. Refresh tokens are not supported by this API; obtain a new token when expired.
API key flow
- Create —
POST /auth/api-keys(JWT only). Response includesapiKey(pr_<public>.<secret>),id, andpublicId. Only the secret segment is stored hashed (Argon2id) in the database. - List / revoke —
GET /auth/api-keysandDELETE /auth/api-keys/:idare JWT only; listing returns metadata, never the secret. - Use on business APIs — Send
X-Api-Key: <full key>orAuthorization: Bearer <full key>(opaque). IncludeX-Tenant-IdandX-Environment; they must match the key. If bothX-Api-KeyandAuthorizationare sent,X-Api-Keywins. - Permissions — Keys carry
read/writeflags. Read-only HTTP methods requireread; mutating methods requirewrite.
API keys are scoped to one tenant and environment. Optional expiresAt and revocation apply to all requests using that key. Use keys for background jobs, internal services, or scripts that call the API without an interactive user.
Public endpoints
These endpoints do not require authentication:
GET /api/health— Health checkPOST /auth/token— Token exchange (Keycloak)
All other endpoints require Authorization or X-Api-Key plus X-Tenant-Id and X-Environment (unless the route is explicitly public, e.g. POST /tenants in development).
Next steps
- Token Exchange — Get a Keycloak token
- API Keys — Create and use API keys
- Required Headers — Header reference