Authentication
How to authenticate requests to the DramWell API using API keys, JWT bearer tokens, and the Supabase auth integration.
Overview
The DramWell API supports two authentication methods depending on your use case:
- API keys — for server-to-server integrations, scripts, and third-party tools
- JWT bearer tokens — for user sessions within DramWell apps or when acting on behalf of a logged-in user
Both methods pass credentials in the Authorization header.
API Keys
API keys are long-lived credentials tied to your organization. They are the recommended choice for server-side integrations where no user session exists.
Key formats
| Prefix | Environment |
|---|---|
sk_live_ |
Production — charges and actions are real |
sk_test_ |
Sandbox — safe for development and testing |
Always use sk_test_ keys during development. Test keys have the same permissions as live keys but operate against isolated sandbox data.
Generating an API key
- Log in to the DramWell admin panel at admin.dramwell.ai.
- Navigate to Settings > Security > API Keys.
- Click Create API Key, give it a descriptive label, and click Generate.
- Copy the key immediately — it is only shown once.
Using an API key
Pass the key as a Bearer token in every request:
GET /v1/customers
Authorization: Bearer sk_live_xxxxxxxxxxxxxxxxxxxx
JWT Bearer Tokens
When a user authenticates through any DramWell app (DramTrade, DramGuest, DramPulse), Supabase Auth issues a short-lived JWT. That token can be passed directly to the API to make requests on behalf of that user, scoped to their organization and role.
JWTs expire after 1 hour. Your client must refresh them using the Supabase client SDK's refreshSession() method before expiry.
GET /v1/jobs
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Supabase Auth Integration
DramWell is built on Supabase Auth. If you are building a custom front-end or mobile app that uses @supabase/supabase-js, authenticate your users through the Supabase client and pass the resulting access_token to the API as a Bearer token — no additional API key is needed.
const { data: { session } } = await supabase.auth.getSession()
const response = await fetch('https://api.dramwell.ai/v1/jobs', {
headers: {
'Authorization': `Bearer ${session?.access_token}`
}
})
Service Role Key
For backend services that need to bypass Row Level Security — such as data pipelines, cron jobs, or admin scripts — use the Supabase service role key. This key has full read/write access to all organization data and must never be exposed in client-side code or committed to version control.
Store it as an environment variable:
SUPABASE_SERVICE_ROLE_KEY=eyJhbGci...
Pass it as a Bearer token the same way as other keys. Requests authenticated with the service role key are not subject to RLS policies.
Security Best Practices
- Rotate API keys immediately if you suspect they have been compromised — use Settings > Security > API Keys > Revoke.
- Store keys in environment variables or a secrets manager (AWS Secrets Manager, Doppler, Vault) — never in source code.
- Grant keys only the scopes your integration actually needs.
- Use
sk_test_keys in CI/CD pipelines and staging environments.
Related Articles
Was this article helpful?