Authentication
Three token types. Pick the right one for your use case.
| Token | Created in | Lifetime | Carries identity |
|---|---|---|---|
| API token | Admin → API Tokens | Long-lived | No (system context) |
| Endpoint token | Admin → API Tokens → Endpoint | Long-lived | No (system context) |
| Session JWT | Login flow | Short-lived | Yes (user identity + ReBAC) |
API token — use for connectors and system-to-system calls. Scope it to the minimum capability needed (e.g. ingestion for connectors, read for exports).
Endpoint token — like an API token but restricted to specific endpoint paths. Use for external systems calling a particular endpoint via POST /api/endpoints/token/run/{name}.
Session JWT — carry the user's identity. Use in custom front-ends. Every search and graph call made with this token enforces the user's ACLs automatically.
POST /api/endpoints/token/run/similar-tickets
Authorization: Bearer <endpoint-token>
Content-Type: application/json
{ "query": "battery drain" }