Authentication

How to authenticate with the Jobs Service API using JWT tokens.

Overview

All endpoints (except Health and Prometheus Metrics) require a Bearer JWT token. The tenantId is extracted from the JWT claims automatically via the @CurrentTenant() decorator. Worker protocol endpoints additionally require mTLS client certificates.

Obtaining a JWT Token

curl -X POST https://535ubezkse.execute-api.us-east-1.amazonaws.com/auth/v1/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "dev@eventzr.com",
    "password": "Password123!"
  }'

# Response:
# {
#   "data": {
#     "accessToken": "eyJhbGciOiJSUzI1NiIs...",
#     "refreshToken": "eyJhbGciOiJSUzI1NiIs...",
#     "expiresIn": 3600
#   }
# }

Use the token with Jobs Servicebash

export TOKEN="<access-token-from-response>"

# Enqueue a job
curl -X POST https://535ubezkse.execute-api.us-east-1.amazonaws.com/jobs/v1/enqueue \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "email.send",
    "payload": { "to": "user@example.com", "template": "welcome" },
    "priority": 5
  }'

Refresh an expired tokenbash

curl -X POST https://535ubezkse.execute-api.us-east-1.amazonaws.com/auth/v1/refresh \
  -H "Content-Type: application/json" \
  -d '{ "refreshToken": "eyJhbGciOiJSUzI1NiIs..." }'

Test Credentials

Staging Environment Credentials

Use these credentials to test the API in the Scalar playground above.

Role	Email	Password	Tenant ID
Developer	`dev@eventzr.com`	`Password123!`	`10000000-...-000004`
Admin	`admin@eventzr.com`	`Password123!`	`10000000-...-000001`

JWT Claims Structure

Decoded JWT payloadjson

{
  "sub": "20000000-0000-4000-8000-000000000004",
  "tenantId": "10000000-0000-4000-8000-000000000004",
  "email": "dev@eventzr.com",
  "roles": ["user", "organizer", "admin"],
  "planTier": "professional",
  "iat": 1740000000,
  "exp": 1740003600
}

Standard Headers

Header	Required	Description
`Authorization`	Yes	Bearer JWT token
`Content-Type`	POST/PUT/PATCH	application/json
`x-request-id`	No	Request trace ID (UUID), auto-generated if absent
`x-tenant-id`	Recommended	Tenant UUID for explicit tenant filtering
`Idempotency-Key`	No	Idempotency key for write operations (24h TTL)

Response Envelope

Standard response formatjson

{
  "data": { ... },
  "error": null,
  "page": {
    "next_cursor": "eyJwYWdlIjoyLCJsaW1pdCI6MjB9",
    "has_more": true,
    "limit": 20
  },
  "meta": {
    "request_id": "550e8400-e29b-41d4-a716-446655440000",
    "trace_id": "abc123",
    "tenant_id": "10000000-0000-4000-8000-000000000004"
  }
}

Role-Based Access

Jobs Service endpoints enforce role-based access control. Admin endpoints require the admin role.

Endpoint Group	Required Roles
Jobs (enqueue, list, get, update, cancel, retry)	`admin, manager, member, viewer`
Dead Letter Queue	`admin, manager, member, viewer`
Metrics, Quota	`admin, manager, member, viewer`
Admin (workers, tenant overrides)	`admin`
Worker Protocol (lease, heartbeat, complete, fail)	`mTLS + internal`
Health (healthz, readyz)	`Public (no auth)`