Skip to main content

Authentication

Passing JWT accesstoken

Most of endpoints in the Hautech API require authentication. To access these protected resources, you must include a valid JWT access token in the Authorization header of your HTTP requests. This token can be obtained in one of two ways:

  • API Token from Developers Portal:
    When you create a new application key in the developer portal, you'll see a popup displaying both the app keys and the API token. This token is generated immediately and can be used for authentication without requiring additional JWT signing.

  • Self-Signed JWT:
    Generated using your App credentials.

Both types of tokens are used in exactly the same way in your API requests. For example:

Authorization: Bearer <your_jwt_token>

Signing JWT with private key

When generating a self-signed JWT, you must include the required claim kind to indicate which API the token is intended for. Supported values:

  • core-api: Use this to access the Core API (operations, images, collections, etc.).
  • directory-api: Use this to access the Directory API for working with user profiles and organizations.

Example: core-api token

const jwt = require("jsonwebtoken");

const payload = {
  iss: "your-app-id",
  sub: "user@example.com", // subject of the token (can be email or your internal user id)
  kind: "core-api", // REQUIRED: token kind
  iat: Math.floor(Date.now() / 1000),
  exp: Math.floor(Date.now() / 1000) + 60 * 60, // Expires in 1 hour
  permissions: ["*"] // Example: wildcard permission for full access (use with caution)
};

const header = {
  kid: "your-app-key-id" // Include the key ID in the header
};

const token = jwt.sign(payload, "your-app-key-secret", {
  algorithm: "RS256",
  header
});
console.log(token);

Example: directory-api token

const jwt = require("jsonwebtoken");

const payload = {
  iss: "your-app-id", 
  sub: "idp|1234567890", // account id from your identity provider
  kind: "directory-api", // REQUIRED: token kind for Directory API
  iat: Math.floor(Date.now() / 1000),
  exp: Math.floor(Date.now() / 1000) + 60 * 60,
  permissions: [
    "directory.profiles.read",
    "directory.organizations.*"
  ]
};

const header = { kid: "your-app-key-id" };

const token = jwt.sign(payload, "your-app-key-secret", {
  algorithm: "RS256",
  header
});
console.log(token);

Permissions

You can retrieve the complete list of available permissions by sending a GET request to:

GET https://api.hautech.ai/v1/permissions/available

Permissions support wildcards at the end of a permission string. For example, using a permission like collections.items.* grants access to all operations within the collections.items namespace.

Remember to include your token in the Authorization header for every request to protected endpoints.