Auth
Two-tier credential model:
- API key — long-lived client secret. Used only to issue tokens or rotate credentials.
- Access token (JWT) — short-lived (15 min), sent on every request.
- Refresh token — used to rotate the access token without re-exposing the API key.
Endpoints
POST /auth/api/token— issue access + refresh pairPOST /auth/api/refresh— rotate access tokenPOST /auth/api/revoke— invalidate tokensPOST /auth/api/rotate-key— rotate the API key itself
Typical flow
/auth/api/token → access (15m) + refresh (30d)
(every request) → Authorization: Bearer <access>
+ x-user-id: <end-user id>
/auth/api/refresh → new access + refresh pair
(old refresh revoked immediately)