Authentication

All documented Public API endpoints use bearer tokens.

Authorization: Bearer <token>

User JWT Bearer Tokens

Use an Auth0 user JWT when a human user is acting in the dashboard or when a workflow must perform user-only actions, such as API key management. User JWT principals can:

call tenant-scoped customer API endpoints
create, reveal, list, and delete API keys
call user-only endpoints such as /users/me

Service-Principal API Keys

Use a Breezy API key for server-to-server automation.

Authorization: Bearer bzy_live_...

API key principals resolve as service actors with tenant scope. They can call tenant-scoped customer API endpoints but cannot manage API keys or call user-only endpoints.

Header Rules

Send exactly one Authorization bearer token.
Never send API keys in query parameters.
Staff impersonation headers are not part of the public customer API.

See: packages/backend/src/infra/auth/auth.service.ts

​Authentication

​User JWT Bearer Tokens

​Service-Principal API Keys

​Header Rules

Authentication

User JWT Bearer Tokens

Service-Principal API Keys

Header Rules