Authentication

JWT access and refresh

Email/password and OAuth sign-in issue short-lived access tokens and rotating refresh tokens. Send Authorization: Bearer <access> on API calls. Refresh uses a dedicated route and server-side token store (Redis in production) so reuse can be detected.

OAuth providers

Social platforms (YouTube, TikTok, X, and others) use OAuth 2.0 / PKCE where required. Tokens for posting are encrypted at rest. Provider-specific routes live under /api/auth and /api/accounts in the OpenAPI document.

Workspaces

After login, most resources are scoped to a workspace. Switching the active workspace uses the dedicated API (see Swagger: switch-workspace style routes). Middleware injects tenancy context so queries cannot cross workspace boundaries.

Integrators

For server-to-server automation, prefer a service account or long-lived pattern only if your deployment documents one — the default product surface is browser + mobile-first user sessions. Machine clients should respect rate limits documented with each route group.