Back to api

Authentication

Authentication

The API uses Bearer-token authentication. There are two ways to get a token.

Long-lived API keys

For server-to-server use:

  1. Settings > Security > API Keys
  2. Click Generate API Key, give it a name (e.g. "ERP integration")
  3. Copy the token shown once — we never display it again
  4. Use it as Authorization: Bearer YOUR_KEY

API keys can be scoped to specific roles (viewer, staff, manager, admin) when generated.

JWTs from password login

For interactive use:

POST /api/v1/auth/login
{ "email": "you@example.com", "password": "..." }
→ { "accessToken": "…", "refreshToken": "…", "expiresIn": 900 }

The accessToken lasts 15 minutes. Use the refreshToken against POST /auth/refresh to get a fresh access token without re-authenticating.

Tenant scoping

Every authenticated request runs within your tenant. You cannot read or write data from another tenant — the API enforces this server-side regardless of any IDs you pass.

Revoking

API keys can be revoked from the same Security page. Revocation is immediate.

Was this article helpful?

Related Articles

Still have questions?

Our support team is here to help.