Authentication
Passing JWT accesstoken
Most of endpoints in the Hautech API require authentication. To access these protected resources, you must include a valid JWT access token in the Authorization
header of your HTTP requests. This token can be obtained in one of two ways:
-
API Token from Developers Portal:
When you create a new application key in the developer portal, you'll see a popup displaying both the app keys and the API token. This token is generated immediately and can be used for authentication without requiring additional JWT signing. -
Self-Signed JWT:
Generated using your App credentials.
Both types of tokens are used in exactly the same way in your API requests. For example:
Authorization: Bearer <your_jwt_token>
Signing JWT with private key
When generating a self-signed JWT, you must include the required claim kind
to indicate which API the token is intended for. Supported values:
- core-api: Use this to access the Core API (operations, images, collections, etc.).
- directory-api: Use this to access the Directory API for working with user profiles and organizations.
Example: core-api token
const jwt = require("jsonwebtoken");
const payload = {
iss: "your-app-id",
sub: "user@example.com", // subject of the token (can be email or your internal user id)
kind: "core-api", // REQUIRED: token kind
iat: Math.floor(Date.now() / 1000),
exp: Math.floor(Date.now() / 1000) + 60 * 60, // Expires in 1 hour
permissions: ["*"] // Example: wildcard permission for full access (use with caution)
};
const header = {
kid: "your-app-key-id" // Include the key ID in the header
};
const token = jwt.sign(payload, "your-app-key-secret", {
algorithm: "RS256",
header
});
console.log(token);
Example: directory-api token
const jwt = require("jsonwebtoken");
const payload = {
iss: "your-app-id",
sub: "idp|1234567890", // account id from your identity provider
kind: "directory-api", // REQUIRED: token kind for Directory API
iat: Math.floor(Date.now() / 1000),
exp: Math.floor(Date.now() / 1000) + 60 * 60,
permissions: [
"directory.profiles.read",
"directory.organizations.*"
]
};
const header = { kid: "your-app-key-id" };
const token = jwt.sign(payload, "your-app-key-secret", {
algorithm: "RS256",
header
});
console.log(token);
Permissions
You can retrieve the complete list of available permissions by sending a GET request to:
GET https://api.hautech.ai/v1/permissions/available
Permissions support wildcards at the end of a permission string. For example, using a permission like collections.items.*
grants access to all operations within the collections.items
namespace.
Remember to include your token in the Authorization
header for every request to protected endpoints.