Authentication

How to authenticate with the Reviews Service API using JWT tokens.

Overview

All endpoints require a Bearer JWT token except for Review Links (validate/submit which are public) and Scheduled Jobs (which use x-internal-api-key). The tenantId is extracted from the JWT claims automatically via the @CurrentTenant() decorator.

Obtaining a JWT Token

curl -X POST https://535ubezkse.execute-api.us-east-1.amazonaws.com/auth/v1/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "organizer@eventzr.com",
    "password": "Password123!"
  }'

# Response:
# {
#   "data": {
#     "accessToken": "eyJhbGciOiJSUzI1NiIs...",
#     "refreshToken": "eyJhbGciOiJSUzI1NiIs...",
#     "expiresIn": 3600
#   }
# }

Use the tokenbash

export TOKEN="<access-token-from-response>"

curl -X GET https://535ubezkse.execute-api.us-east-1.amazonaws.com/reviews/v1/reviews \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -H "x-tenant-id: 00000000-0000-0000-0000-000000000001"

Refresh an expired tokenbash

curl -X POST https://535ubezkse.execute-api.us-east-1.amazonaws.com/auth/v1/refresh \
  -H "Content-Type: application/json" \
  -d '{ "refreshToken": "eyJhbGciOiJSUzI1NiIs..." }'

Test Credentials

Staging Environment Credentials

Use these credentials to test the API in the Scalar playground above.

Role	Email	Password	Tenant ID
Organizer	`organizer@eventzr.com`	`Password123!`	`00000000-...-000001`
User	`user@eventzr.com`	`Password123!`	`00000000-...-000001`

JWT Claims Structure

Decoded JWT payloadjson

{
  "sub": "user-uuid",
  "tenantId": "00000000-0000-0000-0000-000000000001",
  "email": "organizer@eventzr.com",
  "roles": ["user", "organizer"],
  "planTier": "professional",
  "iat": 1740000000,
  "exp": 1740003600
}

Standard Headers

Header	Required	Description
`Authorization`	Yes	Bearer JWT token
`Content-Type`	POST/PATCH	application/json
`x-tenant-id`	Yes	Tenant UUID
`x-request-id`	No	Request trace ID (UUID), auto-generated if absent
`x-idempotency-key`	No	Idempotency key for POST/PATCH/DELETE (24h TTL)

Response Envelope

Standard response formatjson

{
  "data": { ... },
  "error": null,
  "meta": {
    "requestId": "req_abc123",
    "timestamp": "2026-02-24T10:00:00.000Z",
    "processingTime": 42
  }
}

Public & Internal Endpoints

Review Links (Public)

The Review Link endpoints GET /review-links/:token/validate and POST /review-links/:token/submit do not require a Bearer JWT token. These are public endpoints used by external reviewers who receive a unique review link.

Scheduled Jobs (Internal)

The Scheduled Jobs endpoints (e.g. POST /scheduled-jobs/close-expired-campaigns) require an x-internal-api-key header instead of a Bearer JWT token. These are invoked by EventBridge scheduled rules and are not intended for external consumption.