HautechAIDocs

Authentication

Most Hautech API endpoints require authentication. Include a valid JWT access token in the Authorization header of your HTTP requests. You can obtain this token in one of two ways:

  • API token from the developer portal: When you create a new application key, a token is generated immediately. Use it directly for authentication without additional signing.
  • Self-signed JWT: Sign a JWT with your app credentials when you need more control over claims or expirations.

Both token types are used identically in requests:

Authorization: Bearer <your_jwt_token>

Signing JWT with a private key

When generating a self-signed JWT, include the required kind claim to indicate which API the token targets. Supported values are:

  • core-api — Access Core API endpoints (operations, images, collections, and more).
  • directory-api — Access Directory API endpoints for user profiles and organizations.

Example: core-api token

import jwt from 'jsonwebtoken';

const payload = {
  iss: 'your-app-id',
  sub: 'user@example.com',
  kind: 'core-api',
  iat: Math.floor(Date.now() / 1000),
  exp: Math.floor(Date.now() / 1000) + 60 * 60,
  permissions: ['*'],
};

const header = {
  kid: 'your-app-key-id',
};

const token = jwt.sign(payload, 'your-app-key-secret', {
  algorithm: 'RS256',
  header,
});

console.log(token);

Example: directory-api token

import jwt from 'jsonwebtoken';

const payload = {
  iss: 'your-app-id',
  sub: 'idp|1234567890',
  kind: 'directory-api',
  iat: Math.floor(Date.now() / 1000),
  exp: Math.floor(Date.now() / 1000) + 60 * 60,
  permissions: ['directory.profiles.read', 'directory.organizations.*'],
};

const header = {
  kid: 'your-app-key-id',
};

const token = jwt.sign(payload, 'your-app-key-secret', {
  algorithm: 'RS256',
  header,
});

console.log(token);

Permissions

Retrieve the list of available permissions with:

GET https://api.hautech.ai/v1/permissions/available

Permissions support wildcards at the end of the string. For example, collections.items.* grants access to every operation in the collections.items namespace.

Always include your token in the Authorization header for any request to protected endpoints.