Skip to main content

Authentication

End-user and integrator auth is implemented in the Streamdat API. This page summarizes the model; every request shape is in Swagger.

JWT access and refresh

Email/password and OAuth sign-in issue short-lived access tokens and rotating refresh tokens. Send Authorization: Bearer <access> on API calls. Refresh uses a dedicated route and server-side token store (Redis in production) so reuse can be detected.

OAuth providers

Social sign-in is currently Google only (OAuth 2.0 with PKCE); email/password remains the default. For publishing accounts, YouTube has a dedicated OAuth linking flow that verifies the channel before saving. Other platforms (TikTok, X, Instagram, Facebook, Reddit) have publisher code paths but no OAuth linking flow yet; they stay stubbed until platform credentials are configured on the deployment. Tokens for posting are encrypted at rest. Provider-specific routes live under /api/auth and /api/accounts in the OpenAPI document.

Workspaces

After login, most resources are scoped to a workspace. Switching the active workspace uses the dedicated API (see Swagger: switch-workspace style routes). Middleware injects tenancy context so queries cannot cross workspace boundaries.

Integrators

For server-to-server automation, prefer a service account or long-lived pattern only if your deployment documents one; the default product surface is browser + mobile-first user sessions. Machine clients should respect rate limits documented with each route group.