> ## Documentation Index
> Fetch the complete documentation index at: https://docs.dalyenergy.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> API key and Supabase token exchange flows

# Authentication

DalyAPI uses JWT bearer tokens for protected endpoints.

## Flow 1: API Key Exchange

Use workspace + user API keys to request a JWT.

**Endpoint**: `POST /auth/token`

```json theme={null}
{
  "workspace_id": "WORKSPACE_API_KEY",
  "user_id": "USER_API_KEY"
}
```

Returns:

```json theme={null}
{
  "result": "success",
  "token": "<jwt>"
}
```

## Flow 2: Supabase Exchange

If your client already has a Supabase token:

1. `GET /auth/workspaces` to list accessible workspaces
2. `POST /auth/exchange-supabase` with chosen `workspace_id`

Both endpoints require:

```text theme={null}
Authorization: Bearer <supabase-access-token>
```

## Use the Daly JWT

For protected routes:

```text theme={null}
Authorization: Bearer <daly-jwt>
```

Example:

```bash theme={null}
curl -sS "$DALY_API_BASE_URL/tasks" \
  -H "Authorization: Bearer $DALY_TOKEN"
```

## JWT Claims (Server-Validated)

Core claims used by API dependencies:

* `workspace_id`
* `user_id`
* `organization_id` (optional)
* `workspace_role` (optional, refreshed from DB)

<Warning>
  Keep API keys and JWTs server-side where possible. Workspace and user API keys are long-lived credentials.
</Warning>