Authentication
Authentication
The API uses Bearer-token authentication. There are two ways to get a token.
Long-lived API keys
For server-to-server use:
- Settings > Security > API Keys
- Click Generate API Key, give it a name (e.g. "ERP integration")
- Copy the token shown once — we never display it again
- Use it as
Authorization: Bearer YOUR_KEY
API keys can be scoped to specific roles (viewer, staff, manager, admin) when generated.
JWTs from password login
For interactive use:
POST /api/v1/auth/login
{ "email": "you@example.com", "password": "..." }
→ { "accessToken": "…", "refreshToken": "…", "expiresIn": 900 }
The accessToken lasts 15 minutes. Use the refreshToken against POST /auth/refresh to get a fresh access token without re-authenticating.
Tenant scoping
Every authenticated request runs within your tenant. You cannot read or write data from another tenant — the API enforces this server-side regardless of any IDs you pass.
Revoking
API keys can be revoked from the same Security page. Revocation is immediate.