APIAuthentication

Authentication

The Quper API uses Bearer JWT tokens issued by Auth0 for all authentication. Every request to the API must include a valid token in the Authorization header. Tokens are obtained via the Auth0 login flow and carry embedded claims that drive multi-tenant data isolation.

Request Header

Include the token as a Bearer credential in the Authorization header on every API request:

HTTP Request Header

GET /api/v1/users HTTP/1.1
Host: api.quper.co
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
Content-Type: application/json

Obtaining a Token

Tokens are issued through the Auth0 authorization flow. The Quper web frontend handles token acquisition automatically via the Auth0 SDK and attaches the token to all outgoing API requests. For direct API access (scripts, integrations), use the Auth0 Client Credentials or Resource Owner Password flows with your tenant's Auth0 domain.

Auth0 Token Request (Client Credentials)

curl -X POST https://YOUR_AUTH0_DOMAIN/oauth/token \
  -H "Content-Type: application/json" \
  -d '{
    "client_id": "YOUR_CLIENT_ID",
    "client_secret": "YOUR_CLIENT_SECRET",
    "audience": "https://api.quper.co",
    "grant_type": "client_credentials"
  }'

JWT Token Claims

The JWT payload contains standard Auth0 claims plus Quper-specific custom claims. The API reads these claims on every request to determine the authenticated user's identity and scope.

Claim	Type	Description
sub	string	Auth0 user ID (e.g., `auth0\|abc123`)
user_id	string (UUID)	Internal Quper user ID used for permission lookups
tenant_id	string (UUID)	Tenant identifier — all data queries are scoped to this tenant
env_id	string (UUID)	Active environment ID — determines which Redshift schema is queried
roles	string[]	Array of role names assigned to the user (e.g., `["admin"]`)
email	string	Verified email address from Auth0
exp	number (Unix timestamp)	Token expiration time — tokens are valid for 24 hours by default

Token Validation

The FastAPI backend validates tokens on every request using Auth0's JWKS endpoint. The validation checks:

Token signature using Auth0's public RSA key
Token expiration (exp claim)
Audience (aud must match https://api.quper.co)
Issuer (iss must match your Auth0 domain)

Error Responses

Authentication failures return standard HTTP error codes before any business logic is executed:

Status	Cause	Resolution
401 Unauthorized	Missing, expired, or invalid token	Re-authenticate via Auth0 to get a fresh token
403 Forbidden	Valid token but insufficient permissions for the requested resource	Contact your tenant admin to adjust your role or permissions

Token Lifetime

Tokens expire after 24 hours by default. The Quper frontend automatically refreshes tokens using Auth0's silent authentication before expiry. For long-running scripts, implement token refresh logic or use a service account with client credentials.