Authentication
View full details →JWT Tokens & API Keys
Two auth methods supported via Bearer token: JWT for interactive users, API keys for programmatic access with fine-grained scopes.
Endpoint Groups
Authentication
Two authentication methods, both sent as a Bearer token in the Authorization header.
JWT Tokens
For interactive users (web/desktop). Issued by Supabase after sign-in. Access is determined by the user's organisation role.
API Keys
For programmatic/service access. Created via the API with fine-grained scope restrictions.
Format
Example: edd_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8
The full key is only returned once at creation time. Only a hashed version is stored.
Creating an API Key
Expiration options: 7d, 30d, 90d, 1y, or never.
Using an API Key
Management Endpoints
| Method | Endpoint | Description |
|---|---|---|
Scopes
API keys are restricted to an explicit set of scopes. You can use presets or granular scopes.
Presets
Granular Scopes
| Category | Scopes |
|---|---|
|
An API key can only be granted scopes that the creating user's role permits. AI scopes require a Full or Premium seat.
Permission Model
Security
Rate Limiting
When exceeded, a 429 Too Many Requests response is returned with a Retry-After header.
Error Handling
All API errors follow a consistent JSON structure. Use the status code and error details to handle failures gracefully.
Error Response Format
Webhook Events
Action:
X-Eddytor-Signature header. Verify using HMAC-SHA256 with your webhook secret before processing.
Parameters
| Name | In | Type | Required |
|---|---|---|---|
| Required Optional |
Request Body
Responses
Code Snippets
Response Examples
Schemas
Data models used across the API.
Example JSON
Enum Values
Properties
Composed Of