Skip to Content
ConnectAuthentication

Authentication

All API routes require authentication. (Public access at data model level.) The platform supports three authentication methods.

1. Login (JWT Token)

Exchange credentials for a short-lived access token and a refresh token.

POST /api/auth/login
curl -X POST https://your-domain.com/api/auth/login \ -H "Content-Type: application/json" \ -d '{"email": "user@example.com", "password": "secret"}'

Response:

{ "data": { "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", "refresh_token": "v1.AAAA...", "expires": 3600000 } }

Using the token

Include the access token in the Authorization header on every subsequent request:

Authorization: Bearer <access_token>

Refreshing the token

Access tokens expire according to your Supabase JWT config (default: 1 hour). Use the refresh token to get a new pair:

POST /api/auth/refresh
{ "refresh_token": "v1.AAAA..." }

When logging in from a browser, the platform automatically sets secure httpOnly cookies. Subsequent requests from the same browser include the cookie automatically — no manual token management needed.

Session cookies are the default method used by the DaaS Studio (admin UI). For server-to-server or mobile clients, use JWT bearer tokens or static tokens instead.

3. Static Token (API Keys)

Static tokens are long-lived API keys that don’t expire. They are ideal for CI/CD pipelines, server-to-server integrations, and automation scripts.

Generate a token

Via the UI: Users → Edit User → Generate Token → Save

Via the API:

# 1. Generate a random string curl "https://your-domain.com/api/utils/random/string?length=32" \ -H "Authorization: Bearer <admin_token>" # 2. Assign it to a user curl -X PATCH "https://your-domain.com/api/users/<user_id>" \ -H "Authorization: Bearer <admin_token>" \ -H "Content-Type: application/json" \ -d '{"token": "<generated_string>"}'

Use the static token

curl https://your-domain.com/api/items/posts \ -H "Authorization: Bearer <static_token>"

Static tokens bypass Row-Level Security at the database layer. Permissions are still enforced at the application layer. Use JWT tokens where database-level RLS enforcement is required.

Password Reset

POST /api/auth/password/request → sends reset email Body: { email } POST /api/auth/password/reset → completes reset with token from email Body: { token, password }

Password reset requires SMTP or Supabase email to be configured in your project. Without this, reset emails will not be delivered.

Current User

GET /api/auth/user

Returns the authenticated user’s profile and role information.

Logout

POST /api/auth/logout

Invalidates the current session server-side. Scope depends on how you authenticate:

  • Bearer token (Authorization header) — only the session for that specific token is revoked; other active sessions on other devices are unaffected.
  • Session cookie (browser) — all sessions for the user are revoked across all devices.

Bearer token clients must pass the token in the Authorization header so the server knows which session to revoke. Omitting the header falls back to cookie-based session logout.

curl -X POST https://your-domain.com/api/auth/logout \ -H "Authorization: Bearer <access_token>"

The session is revoked server-side immediately — the token will be rejected by any subsequent request even before its natural expiry time.

Error Responses

All auth errors follow the standard error envelope:

{ "errors": [ { "message": "Invalid user credentials", "extensions": { "code": "INVALID_CREDENTIALS" } } ] }
CodeMeaning
INVALID_CREDENTIALSWrong email or password
INVALID_TOKENRefresh token is invalid or expired — log in again
INVALID_PAYLOADMissing or malformed request body field
INTERNAL_SERVER_ERRORUnexpected server-side failure
Last updated on