Authentication & Tokens¶
Every API request (except a small number of public endpoints) must include an Authorization header. Two token types are accepted:
See Getting Started: Authentication for how to obtain tokens and which type to use. This page covers the technical contract.
JWT bearer tokens¶
JWT tokens are issued by the Rodauth login endpoint:
The JWT is returned in the response Authorization header, not the body.
Token claims:
| Claim | Value |
|---|---|
account_id | UUID of the authenticated account |
authenticated_by | Array of methods used (e.g. ["password"]) |
JWTs are short-lived. When a token expires, re-authenticate via POST /login.
Static API tokens¶
Static tokens are long-lived, org-scoped, and carry explicit permission scopes. They are created through the dashboard or directly in the database. Static tokens:
- Do not expire automatically.
- Carry
Bearerprefix exactly like JWTs — the API determines the type from the token format. - Are scoped to one organization; cross-org requests with a static token are rejected.
- Require at least one scope; empty-scope tokens are denied (deny-by-default).
Scopes follow <category>:<action>, e.g.:
Unauthenticated endpoints¶
These endpoints do not require a token:
| Endpoint | Description |
|---|---|
GET /invite/{token} | Show invitation by token |
PATCH /invite/{token}/accept | Accept invitation |
PATCH /invite/{token}/decline | Decline invitation |
GET /invitations/details?token=... | Invitation details |
POST /webhooks/{id}/receive | Inbound webhook payload |
All other endpoints return 401 Unauthorized when no valid token is supplied.
Error responses¶
| Status | code | Cause |
|---|---|---|
401 | unauthorized | No token or invalid token |
403 | forbidden | Valid token but insufficient permissions |
429 | rate_limited | Too many requests (300 req/60 s per token) |