Authentication

How to authenticate with the Vault Service API using JWT tokens.

Overview

All Vault Service endpoints (except health checks and internal jobs) require a valid JWT bearer token issued by auth-svc. The token contains your tenantId which is used for Row Level Security (RLS) isolation and the @CurrentTenant() decorator extracts it automatically.

Multi-Tenant Isolation

Every database query is scoped by tenantId via PostgreSQL RLS. You can only access assets, folders, and transforms that belong to your tenant.

Obtaining a JWT Token

Authenticate against the auth service login endpoint:

curl -X POST https://535ubezkse.execute-api.us-east-1.amazonaws.com/auth/v1/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "dev@eventzr.com",
    "password": "Password123!"
  }'

The response includes an accessToken (JWT) and a refreshToken. Use the access token as a Bearer token on all subsequent requests:

curl -X GET https://535ubezkse.execute-api.us-east-1.amazonaws.com/vault/v1/assets \
  -H "Authorization: Bearer <ACCESS_TOKEN>"

Test Credentials

Use these credentials on the staging environment for testing:

Role	Email	Password	Access
Developer	dev@eventzr.com	Password123!	Read assets, transforms, folders, quota
Admin	admin@eventzr.com	Password123!	Full access: CRUD, legal hold, admin, GDPR

JWT Claims Structure

Decoded JWT payload contains:

{
  "sub": "550e8400-e29b-41d4-a716-446655440000",
  "tenantId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "roles": ["admin"],
  "email": "admin@eventzr.com",
  "iat": 1740000000,
  "exp": 1740086400
}

Claim	Description
sub	User ID (UUID)
tenantId	Tenant ID (UUID) — used for RLS and data isolation
roles	Array of roles: user, organizer, admin
exp	Token expiration timestamp (24h validity)

Role Hierarchy

Role	Vault Access
user	Read assets, transforms, folders, quota status, legal hold status
organizer	Create/update assets, request transforms, create folders, share assets
admin	Full access: delete, legal hold, cleanup, GDPR compliance, admin operations

Standard Headers

Header	Required	Description
Authorization	Yes	Bearer <JWT_TOKEN>
Content-Type	Yes (writes)	application/json
x-request-id	Recommended	Unique request ID for tracing (UUID)
x-tenant-id	Recommended	Tenant ID (also extracted from JWT)
Idempotency-Key	Recommended	Prevents duplicate operations (24h TTL)

Response Envelope

All responses follow the standard EventZR envelope:

{
  "data": { },
  "error": null,
  "page": { "total": 150, "page": 1, "limit": 20, "has_more": true },
  "meta": { "request_id": "<uuid>" }
}

Internal API Key (Jobs)

Jobs endpoints (/vault/v1/jobs/*) use InternalApiKeyGuard instead of JWT. Pass the internal API key via the x-api-key header:

curl -X POST https://535ubezkse.execute-api.us-east-1.amazonaws.com/vault/v1/jobs/cleanup-expired \
  -H "x-api-key: <INTERNAL_API_KEY>"

Jobs endpoints are internal-only

Jobs endpoints are triggered by scheduled Lambda invocations and are not intended for external use. They require the internal API key set via the INTERNAL_API_KEY environment variable.