Skip to main content
All protected InfraAudit API endpoints require a Bearer token in the Authorization header. This page explains how to obtain a token, how to use it, and how long-lived API keys work.

Pass the token

Include your token on every request: 
Authorization: Bearer <access_token>

Get a token

InfraAudit uses Supabase Auth. Your access token is a signed JWT issued by your Supabase project. There are three ways to obtain one.
1

Option 1: Sign in via the Supabase client

Use the Supabase JavaScript SDK if you’re building a browser or Node.js integration:
import { createClient } from '@supabase/supabase-js'

const supabase = createClient(SUPABASE_URL, SUPABASE_ANON_KEY)

const { data, error } = await supabase.auth.signInWithPassword({
  email: 'user@example.com',
  password: 'your-password',
})

const token = data.session.access_token
2

Option 2: Sign in via the InfraAudit API

POST your credentials to /api/login to receive a token directly:
curl -X POST https://api.infraaudit.dev/v1/api/login \
  -H "Content-Type: application/json" \
  -d '{"email": "user@example.com", "password": "your-password"}'
Response:
{
  "user": {
    "id": 1,
    "email": "user@example.com",
    "role": "user"
  },
  "token": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9..."
}
3

Option 3: Use the CLI

The CLI stores the token automatically after login:
infraudit auth login --email user@example.com --password your-password
The token is saved to ~/.infraudit/config.yaml and used by all subsequent CLI commands.

Use the token in requests

export TOKEN="eyJhbGciOi..."

curl https://api.infraaudit.dev/v1/resources \
  -H "Authorization: Bearer $TOKEN"

API keys

For non-interactive use cases such as CI/CD pipelines and automated scripts, create a long-lived API key instead of using a session token. Create an API key in the web UI: navigate to Settings → API Keys and click New key. Create an API key via the API: 
curl -X POST https://api.infraaudit.dev/v1/settings/api-keys \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name": "CI/CD Pipeline"}'
Response: 
{
  "id": 2,
  "name": "CI/CD Pipeline",
  "key": "ia_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
The full API key value is returned only at creation time. Store it in your secrets manager immediately — it cannot be retrieved again.
API keys use the same Authorization: Bearer header as session tokens.

Token format

Tokens are Supabase JWTs signed with either:
  • ES256 — ECDSA with a key pair managed by Supabase, verified via JWKS at {SUPABASE_URL}/auth/v1/.well-known/jwks.json
  • HS256 — HMAC using SUPABASE_JWT_SECRET
The auth middleware accepts both formats.

SSE / EventSource requests

For server-sent events endpoints, pass the token as a query parameter instead of a header: 
GET /api/ws/drifts?token=eyJhbGciOi...

401 vs 403

StatusMeaning
401 UnauthorizedNo token provided, token expired, or token is invalid
403 ForbiddenToken is valid but the user lacks permission for this resource