Skip to main content

Authentication

The usmewe API uses JWT (JSON Web Tokens) for authentication, powered by Supabase Auth.

Authentication Flow

┌─────────┐     ┌─────────┐     ┌─────────┐
│  User   │────►│ Supabase│────►│ usmewe  │
│         │     │  Auth   │     │   API   │
└─────────┘     └─────────┘     └─────────┘
     │               │               │
     │  1. Login     │               │
     │──────────────►│               │
     │               │               │
     │  2. JWT Token │               │
     │◄──────────────│               │
     │               │               │
     │  3. API Request with JWT      │
     │──────────────────────────────►│
     │               │               │
     │  4. Response  │               │
     │◄──────────────────────────────│

Getting a Token

Use Google OAuth for the simplest authentication: 
import { createClient } from '@supabase/supabase-js';

const supabase = createClient(SUPABASE_URL, SUPABASE_ANON_KEY);

// Sign in with Google
const { data, error } = await supabase.auth.signInWithOAuth({
  provider: 'google',
  options: {
    redirectTo: 'https://yourapp.com/callback'
  }
});

Option 2: Email/Password

// Sign up
const { data, error } = await supabase.auth.signUp({
  email: '[email protected]',
  password: 'xxx' // Replace with actual password
});

// Sign in
const { data, error } = await supabase.auth.signInWithPassword({
  email: '[email protected]',
  password: 'xxx' // Replace with actual password
});

// Get JWT
const token = data.session.access_token;

Using the Token

Include the JWT in the Authorization header: 
curl -X GET "https://api.usmewe.com/v1/users/me" \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..."

Token Refresh

Tokens expire after 1 hour. Refresh before expiration: 
const { data, error } = await supabase.auth.refreshSession();
const newToken = data.session.access_token;

API Key Authentication

For server-to-server integrations, use API keys: 
curl -X GET "https://api.usmewe.com/v1/users/me" \
  -H "X-API-Key: your_api_key"
API keys are only available for Pro and Enterprise tiers. Contact us to request access.

Error Responses

Invalid Token

{
  "success": false,
  "error": {
    "code": "UNAUTHORIZED",
    "message": "Invalid or expired token"
  }
}

Missing Token

{
  "success": false,
  "error": {
    "code": "UNAUTHORIZED",
    "message": "Authorization header required"
  }
}

Security Best Practices

Always send tokens in headers, never as query parameters
Use secure storage (keychain, encrypted storage) on mobile/desktop
Refresh tokens before they expire to avoid interruptions
All API requests must use HTTPS

Next Steps

Users API

Get user profiles and settings

JavaScript SDK

Use our official SDK