Postixly
Começar grátis
Toda a documentação
DOCS api / authentication

Authentication

Authenticate with API keys or Supabase Bearer JWT tokens.

Authentication

All protected routes support two authentication methods:

  1. API Key (X-API-Key)
  2. Supabase JWT (Authorization: Bearer <token>)

API Key authentication

X-API-Key: sp_your_api_key_here

Generate keys with:

  • POST /api-keys
  • Revoke with DELETE /api-keys/:id

Keys are returned only once at creation time and stored hashed (SHA-256) in database.

Bearer JWT authentication

Authorization: Bearer <supabase_access_token>

JWT tokens are validated through Supabase Auth on each request.

Scope and account context

  • API key requests run with defaultAccountId = account_id from the key.
  • JWT requests run with defaultAccountId = userId (personal account).
  • Team context can be passed using workspace_id where supported.

Security Note: Keep your API keys secure. Do not expose them in client-side code (browsers). If a key is compromised, revoke it immediately in your dashboard.