Authentication API¶
Learn how to authenticate with the Archivus API using JWT tokens or API keys.
Overview¶
Archivus supports two authentication methods:
- API Keys - For server-to-server integrations (recommended, never expire)
- JWT Tokens - For web and mobile applications (expire after 24 hours)
API Key Authentication¶
Overview¶
API keys provide persistent authentication ideal for backend services and integrations.
Benefits:
- Never expire (until manually revoked)
- Simpler integration (single header)
- No token refresh logic needed
- Per-key scoping and permissions
Generate API Key¶
Create an API key for your account.
Headers:
Request Body:
{
"name": "Production Integration",
"scopes": ["documents:read", "documents:write", "search:read"]
}
Response:
{
"id": "key_abc123",
"api_key": "ak_live_abc123def456ghi789jkl012mno345pqr678stu",
"name": "Production Integration",
"scopes": ["documents:read", "documents:write", "search:read"],
"created_at": "2026-01-18T10:30:00Z"
}
Save Your API Key
The API key is only shown once. Store it securely - you won't be able to retrieve it again.
Using API Keys¶
Include the API key in the X-API-Key header:
List API Keys¶
Get all API keys for your account.
Response:
{
"api_keys": [
{
"id": "key_abc123",
"name": "Production Integration",
"scopes": ["documents:read", "documents:write"],
"created_at": "2026-01-18T10:30:00Z",
"last_used_at": "2026-01-18T14:30:00Z"
},
{
"id": "key_def456",
"name": "Development Testing",
"scopes": ["documents:read"],
"created_at": "2026-01-15T09:00:00Z",
"last_used_at": "2026-01-17T16:00:00Z"
}
]
}
Revoke API Key¶
Delete an API key permanently.
Response:
API Key Scopes¶
Available scopes for API keys:
| Scope | Description |
|---|---|
documents:read | Read document metadata and content |
documents:write | Upload, update, and delete documents |
search:read | Search documents |
chat:read | Read chat sessions and messages |
chat:write | Create chat sessions and ask questions |
webhooks:read | List webhooks |
webhooks:write | Create, update, and delete webhooks |
workflows:read | View workflows and executions |
workflows:write | Create and execute workflows |
admin:read | Read admin resources |
admin:write | Modify admin resources |
JWT Authentication¶
Overview¶
JWT tokens provide user-specific authentication ideal for web and mobile applications.
Benefits:
- User-specific permissions
- Secure for browser applications
- OAuth integration support
- Automatic expiration
Login¶
Authenticate and receive a JWT token.
Request Body:
Response:
{
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"refresh_token": "refresh_eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"expires_at": "2026-01-19T10:30:00Z",
"user": {
"id": "user_xyz789",
"email": "user@example.com",
"first_name": "John",
"last_name": "Doe",
"role": "admin"
},
"tenant": {
"id": "tenant_abc123",
"name": "Acme Corp",
"subdomain": "acme-corp",
"tier": "pro"
}
}
Error Responses:
{
"error": "invalid_credentials",
"code": "INVALID_CREDENTIALS",
"message": "Invalid email or password"
}
Using JWT Tokens¶
Include the token in the Authorization header with the Bearer scheme:
Register¶
Create a new user account.
Request Body:
{
"email": "newuser@example.com",
"password": "securepassword123",
"first_name": "Jane",
"last_name": "Smith",
"account_type": "individual",
"tenant_name": "Jane's Workspace"
}
Response: Same as login response
Refresh Token¶
Refresh an expired access token using the refresh token.
Request Body:
Response:
{
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"refresh_token": "refresh_eyJhbGciOiJIUz...",
"expires_at": "2026-01-19T10:30:00Z"
}
Logout¶
Invalidate the current session.
Response:
Password Management¶
Forgot Password¶
Request a password reset email.
Request Body:
Response:
Reset Password¶
Reset password using the token from email.
Request Body:
Change Password¶
Change password while authenticated.
Headers:
Request Body:
OAuth Authentication¶
Google OAuth¶
Authenticate using Google OAuth.
Request Body:
Response: Same as login response
Apple OAuth¶
Authenticate using Apple Sign In.
Request Body:
GitHub OAuth¶
Authenticate using GitHub OAuth.
Request Body:
Email Verification¶
Verify Email¶
Verify email address using token from email.
Request Body:
Resend Verification¶
Resend verification email.
Headers:
CSRF Protection¶
For mutation requests (POST, PUT, DELETE) from browsers, CSRF protection is required.
Get CSRF Token¶
Response:
Use CSRF Token¶
Include in the X-CSRF-Token header:
curl -X POST https://api.archivus.app/api/v1/documents/upload \
-H "Authorization: Bearer YOUR_JWT_TOKEN" \
-H "X-Tenant-Subdomain: your-tenant" \
-H "X-CSRF-Token: csrf_1234567890abcdef" \
-F "file=@document.pdf"
Security Best Practices¶
Store Credentials Securely¶
Never Commit Secrets
Never commit API keys or tokens to version control.
Rotate API Keys¶
Regularly rotate API keys for security:
- Create a new API key
- Update your application to use the new key
- Verify the new key works
- Revoke the old key
Use HTTPS¶
Always use HTTPS in production to prevent token interception.
Handle Token Expiration¶
Implement automatic token refresh:
async function makeAuthenticatedRequest(url) {
let token = getStoredToken();
try {
return await fetch(url, {
headers: { 'Authorization': `Bearer ${token}` }
});
} catch (error) {
if (error.code === 'TOKEN_EXPIRED') {
token = await refreshToken();
return await fetch(url, {
headers: { 'Authorization': `Bearer ${token}` }
});
}
throw error;
}
}
Error Responses¶
Invalid Credentials¶
Status: 401 Unauthorized
{
"error": "invalid_credentials",
"code": "INVALID_CREDENTIALS",
"message": "Invalid email or password"
}
Token Expired¶
Status: 401 Unauthorized
Invalid API Key¶
Status: 401 Unauthorized
Missing CSRF Token¶
Status: 403 Forbidden
{
"error": "csrf_token_required",
"code": "CSRF_TOKEN_REQUIRED",
"message": "CSRF token is required for this request"
}
Next Steps¶
-
Upload Documents
Start using authenticated endpoints to upload documents
-
Create Webhooks
Set up real-time notifications for your integration
-
Error Handling
Learn how to handle authentication errors