Authentication Methods
Decisio supports two authentication methods:
API Keys
Long-lived keys for server-to-server communication. Best for backend integrations and automation.
Recommended for backends
JWT Tokens
Short-lived tokens obtained via login. Best for user-facing applications and mobile apps.
Recommended for frontends
API Key Authentication
Creating an API Key
- Go to Settings → API Keys in your dashboard
- Click Create API Key
- Enter a description (e.g., "Production Backend")
- Select permissions (read-only or read-write)
- Copy the key immediately (it won't be shown again)
Using API Keys
Include the API key in the X-API-Key header:
curl -X GET "https://api.decisio.ai/v1/products" \ -H "X-API-Key: dcs_live_xxxxxxxxxxxxxxxxxxxxxxxx"
API Key Prefixes
| Prefix | Environment | Description |
|---|---|---|
dcs_live_ | Production | Full access to production data |
dcs_test_ | Sandbox | Test environment, no real data |
JWT Token Authentication
Obtaining Tokens
Exchange credentials for access and refresh tokens:
POST /auth/login
Content-Type: application/json
{
"email": "user@company.com",
"password": "your-password"
}Response:
{
"access_token": "eyJhbGciOiJIUzI1NiIs...",
"refresh_token": "eyJhbGciOiJIUzI1NiIs...",
"token_type": "Bearer",
"expires_in": 3600
}Using Access Tokens
Include the access token in the Authorization header:
curl -X GET "https://api.decisio.ai/v1/decisions" \ -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..."
Refreshing Tokens
Access tokens expire after 1 hour. Use the refresh token to get a new one:
POST /auth/refresh
Content-Type: application/json
{
"refresh_token": "eyJhbGciOiJIUzI1NiIs..."
}Token Lifetimes
| Token Type | Lifetime | Renewable |
|---|---|---|
| Access Token | 1 hour | Yes, via refresh token |
| Refresh Token | 7 days | Yes, returns new pair |
| API Key | Until revoked | N/A |
Scopes & Permissions
API keys and tokens can be scoped to specific permissions:
| Scope | Access Level |
|---|---|
read:products | View products and inventory |
write:products | Create/update products |
read:decisions | View AI decisions |
write:decisions | Approve/reject decisions |
read:analytics | Access reports and metrics |
admin | Full administrative access |
Error Responses
401
Unauthorized— Missing or invalid authentication
403
Forbidden— Valid auth but insufficient permissions
429
Too Many Requests— Rate limit exceeded
Security Best Practices
- Never expose API keys in client-side code
- Store keys in environment variables, not source code
- Use test keys for development, live keys only in production
- Rotate keys periodically (quarterly recommended)
- Set minimum necessary permissions for each key
- Monitor API key usage in the dashboard
- Revoke compromised keys immediately
Key Compromise
If you suspect an API key has been compromised, revoke it immediately from Settings → API Keys. Create a new key and update your integrations.