Authentication

Engium supports two authentication strategies: long-lived API keys for server-to-server calls and short-lived JWT tokens for user-facing browser clients. Both require an X-Tenant-ID header.

info

Prerequisites

•API key from Settings → Developer → API Keys.
•Your Tenant ID (shown on the same page).

Implementation

terminal

# --- Option A: API Key (server-side) ---
curl https://api.engium.app/api/v1/bookings \
  -H "Authorization: Bearer eng_live_xxxxxxxxxxxx" \
  -H "X-Tenant-ID: 3fa85f64-5717-4562-b3fc-2c963f66afa6"

# --- Option B: JWT exchange (browser clients) ---
curl -X POST https://api.engium.app/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"admin@yourco.com","password":"YOUR_PASS"}'

# Refresh an expired access token:
curl -X POST https://api.engium.app/api/v1/auth/refresh \
  -H "Content-Type: application/json" \
  -d '{"refresh_token":"YOUR_REFRESH_TOKEN"}'

Request Parameters

Parameter	Type	Requirement	Description
`Authorization`	Header · string	Required	Bearer {api_key} or Bearer {jwt_token}. Present on every request.
`X-Tenant-ID`	Header · UUID	Required	Your Tenant UUID. All data is scoped to this tenant; requests without it return 400.
`Content-Type`	Header · string	Optional	Required as application/json for POST / PATCH / PUT bodies.

AuthorizationRequired

Bearer {api_key} or Bearer {jwt_token}. Present on every request.

Type:Header · string

X-Tenant-IDRequired

Your Tenant UUID. All data is scoped to this tenant; requests without it return 400.

Type:Header · UUID

Content-TypeOptional

Required as application/json for POST / PATCH / PUT bodies.

Type:Header · string

warning

API keys are secrets

Never include an API key in frontend JavaScript, mobile binaries, or public repositories. Use environment variables server-side and rotate keys immediately if compromised.

info

JWT token expiry

Access tokens expire after 30 minutes. Use the refresh_token returned at login to get a new access_token via POST /auth/refresh — no re-login required. Refresh tokens are valid for 30 days.

Was this helpful?

Previousarrow_backQuickstart NextSending First Messagearrow_forward

Authentication

Engium supports two authentication strategies: long-lived API keys for server-to-server calls and short-lived JWT tokens for user-facing browser clients. Both require an X-Tenant-ID header.

info

Prerequisites

•API key from Settings → Developer → API Keys.
•Your Tenant ID (shown on the same page).

Implementation

terminal

# --- Option A: API Key (server-side) ---
curl https://api.engium.app/api/v1/bookings \
  -H "Authorization: Bearer eng_live_xxxxxxxxxxxx" \
  -H "X-Tenant-ID: 3fa85f64-5717-4562-b3fc-2c963f66afa6"

# --- Option B: JWT exchange (browser clients) ---
curl -X POST https://api.engium.app/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"admin@yourco.com","password":"YOUR_PASS"}'

# Refresh an expired access token:
curl -X POST https://api.engium.app/api/v1/auth/refresh \
  -H "Content-Type: application/json" \
  -d '{"refresh_token":"YOUR_REFRESH_TOKEN"}'

Request Parameters

Parameter	Type	Requirement	Description
`Authorization`	Header · string	Required	Bearer {api_key} or Bearer {jwt_token}. Present on every request.
`X-Tenant-ID`	Header · UUID	Required	Your Tenant UUID. All data is scoped to this tenant; requests without it return 400.
`Content-Type`	Header · string	Optional	Required as application/json for POST / PATCH / PUT bodies.

AuthorizationRequired

Bearer {api_key} or Bearer {jwt_token}. Present on every request.

Type:Header · string

X-Tenant-IDRequired

Your Tenant UUID. All data is scoped to this tenant; requests without it return 400.

Type:Header · UUID

Content-TypeOptional

Required as application/json for POST / PATCH / PUT bodies.

Type:Header · string

warning

API keys are secrets

Never include an API key in frontend JavaScript, mobile binaries, or public repositories. Use environment variables server-side and rotate keys immediately if compromised.

info

JWT token expiry

Access tokens expire after 30 minutes. Use the refresh_token returned at login to get a new access_token via POST /auth/refresh — no re-login required. Refresh tokens are valid for 30 days.

Was this helpful?