Authorization
All API requests require authentication using JWT tokens. You’ll generate these tokens using a private key obtained from your portal, then include them in the Authorization header as a Bearer token.
Overview
The authorization flow involves:
- Generating a private key from the portal
- Creating a JWT token with your external ID and role
- Including the JWT as a Bearer token in API requests
Authentication Header
Include your JWT token in all API requests:
Authorization: Bearer YOUR_JWT_TOKENJWT Generation
Generate JWT for Server Side
For server side applications, you’ll generate a private application JWT.
import { jwt } from '@basistheory/ai-sdk';
const jwt = jwt.generatePrivate(privateKey, externalId, expiration = '1m');Generate JWT for Client Side
For client side applications, you’ll generate a private application JWT.
import { jwt } from '@basistheory/ai-sdk';
const jwt = jwt.generatePublic(privateKey, externalId, expiration = '1m');Required Claims
| Claim | Description |
|---|---|
external_id | Your unique user identifier, this scopes the JWT to only resources for this id |
role | Token type ('private' or 'public') |
exp | Expiration time (Unix timestamp) |
iat | Issued at time (Unix timestamp) |
Security Best Practices
- Keep your secret key secure - Never expose it in client-side code
- Use appropriate expiration times - Shorter for sensitive operations
- Validate tokens on every request - Always verify token integrity
- Handle expired tokens gracefully - Implement proper error handling, acquire a new one.