Authentication
Securely authenticate your applications using Admin's OAuth 2.0, API keys, and JWT token flow.
Overview
Admin supports multiple authentication methods depending on your use case. The recommended approach for most applications is the JWT Bearer Token flow, which provides stateless, secure authentication with automatic token rotation.
Important
Never expose your secret keys or refresh tokens in client-side code. Use environment variables and secure backend proxies for sensitive operations. Security is shared responsibility.
Supported Methods
| Method | Use Case | Security Level |
|---|---|---|
| JWT Bearer | Web & Mobile Apps | High |
| API Keys | Server-to-Server | Medium |
| OAuth 2.0 / OIDC | Third-party Integrations | High |
| Basic Auth | Legacy / Testing | Low |
JWT Authentication Flow
The JWT flow consists of three steps: obtaining an access token, making authenticated requests, and refreshing tokens before expiration.
Step 1: Obtain Access Token
POST
/api/v3/auth/token
Send your client credentials to receive a short-lived access token and a refresh token.
Request Body (JSON)
{
"client_id": "your_client_id",
"client_secret": "your_client_secret",
"grant_type": "client_credentials"
}
Response (200 OK)
{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "dGhpcyBpcyBhIHJlZnJlc2ggdG9rZW4..."
}
Step 2: Make Authenticated Requests
Include the access token in the Authorization header of your API requests:
curl Example
curl -X GET https://api.admin.io/v3/users \ -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \ -H "Content-Type: application/json"
Token Expiration
Access tokens expire after 1 hour. Implement automatic token refresh logic using the
refresh_token before making subsequent requests.
Error Handling
Authentication errors return standard HTTP status codes with structured JSON responses:
| Code | Meaning | Resolution |
|---|---|---|
| 401 | Unauthorized | Token missing or invalid |
| 403 | Forbidden | Insufficient permissions |
| 429 | Too Many Requests | Rate limit exceeded, wait or upgrade |
Error Response Example
{
"error": "invalid_token",
"message": "The access token provided has expired or is malformed.",
"code": "AUTH_TOKEN_EXPIRED",
"details": {
"issued_at": "2025-03-15T10:00:00Z",
"expired_at": "2025-03-15T11:00:00Z"
}
}
Security Best Practices
- Always use HTTPS for token exchange and API requests
- Store tokens in secure, HTTP-only cookies or memory-only stores
- Implement token rotation and revocation strategies
- Use short-lived access tokens (⤠1 hour) and long-lived refresh tokens
- Validate tokens on the server side using Admin's public JWKS endpoint
Next Steps
Now that you understand authentication, proceed to API Keys Management or explore the Users Endpoint Reference.