Skip to content
Spatial.Properties

Authentication

Spatial.Properties uses Supabase Auth for authentication. All authenticated endpoints require a JWT access token passed as a Bearer token in the Authorization header.

Authentication Flow

Section titled “Authentication Flow”
sequenceDiagram
    participant Client
    participant Supabase Auth
    participant API

    Client->>Supabase Auth: Sign in (email + password)
    Supabase Auth-->>Client: access_token + refresh_token
    Client->>API: Request + Authorization: Bearer access_token
    API->>API: Validate JWT signature
    API-->>Client: Response (200)
  1. Sign in via the Supabase Auth API to receive an access_token (JWT) and a refresh_token.
  2. Include the access_token in every API request as a Bearer token.
  3. The API validates the JWT signature on every request. Invalid or expired tokens return a 401 error.

Obtaining a Token

Section titled “Obtaining a Token”

Sign in to receive your access token. Replace YOUR_PROJECT with your Supabase project ID and YOUR_SUPABASE_ANON_KEY with your project’s anonymous key.

Terminal window
curl -X POST 'https://YOUR_PROJECT.supabase.co/auth/v1/token?grant_type=password' \
  -H 'apikey: YOUR_SUPABASE_ANON_KEY' \
  -H 'Content-Type: application/json' \
  -d '{
    "email": "you@example.com",
    "password": "your-password"
  }'

The response includes:

{
  "access_token": "eyJhbGciOiJIUzI1NiIs...",
  "token_type": "bearer",
  "expires_in": 3600,
  "refresh_token": "abc123..."
}

Using the Token

Section titled “Using the Token”

Pass the access_token as a Bearer token in the Authorization header on every API request.

Terminal window
curl -X GET 'https://api.spatial.properties/billing/credits/balance' \
  -H 'Authorization: Bearer YOUR_ACCESS_TOKEN'

Token Lifecycle

Section titled “Token Lifecycle”
  • Access tokens expire after approximately 1 hour (expires_in: 3600).
  • Refresh tokens have a longer lifespan and are used to obtain new access tokens without re-entering credentials.

When your access token expires, use the refresh token to get a new one:

Terminal window
curl -X POST 'https://YOUR_PROJECT.supabase.co/auth/v1/token?grant_type=refresh_token' \
  -H 'apikey: YOUR_SUPABASE_ANON_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"refresh_token": "YOUR_REFRESH_TOKEN"}'

Public Endpoints

Section titled “Public Endpoints”

These endpoints do not require authentication:

EndpointDescription
GET /healthHealth check and pack count

All other endpoints require a valid Bearer token.

Test Your Setup

Section titled “Test Your Setup”

Verify your authentication is working with these three steps.

Step 1: Check connectivity. Call the public health endpoint (no token required):

Terminal window
curl -s 'https://api.spatial.properties/health'

Expected response:

{"status": "ok", "packs_loaded": 1}

Step 2: Obtain a token. Use the sign-in call from Obtaining a Token above.

Step 3: Call an authenticated endpoint. Use your token to check your credit balance:

Terminal window
curl -s 'https://api.spatial.properties/billing/credits/balance' \
  -H 'Authorization: Bearer YOUR_ACCESS_TOKEN'

Expected success response:

{"balance": "50.00", "currency": "AUD"}

If you receive a 401 error instead, check that:

  • Your token has not expired (tokens last approximately 1 hour)
  • The Authorization header uses the format Bearer <token> with a space after “Bearer”
  • You are using the access_token value, not the refresh_token