Authentication
How to authenticate with the App Registry Service API using JWT tokens and OAuth 2.0.
Overview
The App Registry Service uses two authentication methods depending on the endpoint group:
| Endpoint Group | Auth Method | Roles |
|---|---|---|
| Apps (CRUD) | JWT Bearer | developer, organizer, admin |
| Apps (admin actions) | JWT Bearer | admin, super_admin |
| Developer | JWT Bearer | user, developer, organizer, admin |
| Installations | JWT Bearer | organizer, admin |
| OAuth (authorize, consent) | JWT Bearer | organizer, admin |
| OAuth (token, introspect, revoke) | Public | — |
| Webhooks | App Auth (client_credentials) | — |
| Search, Recommendations | JWT Bearer | user, organizer, developer, admin |
| Health | Public | — |
Obtaining a JWT Token
Login via auth-svcbash
curl -X POST https://535ubezkse.execute-api.us-east-1.amazonaws.com/auth/v1/login \
-H "Content-Type: application/json" \
-d '{
"email": "dev@eventzr.com",
"password": "Password123!"
}'
# Response:
# {
# "data": {
# "accessToken": "eyJhbGciOiJSUzI1NiIs...",
# "refreshToken": "eyJhbGciOiJSUzI1NiIs...",
# "expiresIn": 3600
# }
# }Use the tokenbash
export TOKEN="<access-token-from-response>"
curl -X GET https://535ubezkse.execute-api.us-east-1.amazonaws.com/app-registry/v1/apps \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json"OAuth 2.0 Flows
Supported OAuth 2.0 Flows
The App Registry supports full OAuth 2.0 for third-party app authorization, including PKCE for public clients.
| Flow | Use Case | RFC |
|---|---|---|
| Authorization Code + PKCE | Organizer consent for third-party apps | RFC 7636 |
| Client Credentials | Server-to-server app access | RFC 6749 |
| Refresh Token | Long-lived sessions | RFC 6749 |
| Token Introspection | Validate tokens from other services | RFC 7662 |
| Token Revocation | Invalidate tokens | RFC 7009 |
Authorization Code Flow with PKCEbash
# Step 1: Generate PKCE challenge
CODE_VERIFIER=$(openssl rand -base64 32 | tr -d '=+/' | head -c 43)
CODE_CHALLENGE=$(echo -n "$CODE_VERIFIER" | openssl dgst -sha256 -binary | base64 | tr -d '=+/' | head -c 43)
# Step 2: Redirect user to authorize endpoint
GET /app-registry/v1/oauth/authorize?
response_type=code&
client_id=<app-client-id>&
redirect_uri=https://myapp.com/callback&
scope=read:events write:events&
code_challenge=$CODE_CHALLENGE&
code_challenge_method=S256
# Step 3: Exchange code for token
curl -X POST https://535ubezkse.execute-api.us-east-1.amazonaws.com/app-registry/v1/oauth/token \
-H "Content-Type: application/json" \
-d '{
"grant_type": "authorization_code",
"code": "<auth-code>",
"redirect_uri": "https://myapp.com/callback",
"client_id": "<app-client-id>",
"code_verifier": "'$CODE_VERIFIER'"
}'Test Credentials
Staging Environment Credentials
Use these credentials to test the API in the Scalar playground above.
| Role | Password | Tenant ID | |
|---|---|---|---|
| Developer | dev@eventzr.com | Password123! | 00000000-...-000001 |
| Admin | admin@eventzr.com | Password123! | 00000000-...-000001 |
Standard Headers
| Header | Required | Description |
|---|---|---|
Authorization | Yes | Bearer JWT token |
Content-Type | POST/PUT/PATCH | application/json |
x-request-id | No | Request trace ID (UUID), auto-generated if absent |
x-tenant-id | Recommended | Tenant UUID for explicit tenant filtering |
Idempotency-Key | No | Idempotency key for write operations (24h TTL) |
Response Envelope
Standard response formatjson
{
"data": { ... },
"error": null,
"page": {
"next_cursor": "eyJwYWdlIjoyLCJsaW1pdCI6MjB9",
"has_more": true,
"limit": 20
},
"meta": {
"request_id": "550e8400-e29b-41d4-a716-446655440000",
"trace_id": "abc123",
"tenant_id": "tenant-uuid"
}
}