Authentication

All API requests require authentication using Supabase Auth. QiQ Social uses JWT-based authentication with Row Level Security (RLS) to ensure workspace isolation.

Authentication Flow

1. Sign In

Obtain an access token by signing in with email and password:

curl -X POST 'https://htavwovliunjkqnzknnj.supabase.co/auth/v1/token?grant_type=password' \
  -H "apikey: <anon-key>" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "user@example.com",
    "password": "your-password"
  }'

Response:

{
  "access_token": "eyJhbGciOiJIUzI...",
  "refresh_token": "abc123...",
  "expires_in": 3600,
  "token_type": "bearer"
}

2. Use the Token

Include the access token in all subsequent requests:

curl 'https://htavwovliunjkqnzknnj.supabase.co/rest/v1/automations' \
  -H "apikey: <anon-key>" \
  -H "Authorization: Bearer <access-token>"

3. Refresh the Token

Access tokens expire after 1 hour. Use the refresh token to get a new access token:

curl -X POST 'https://htavwovliunjkqnzknnj.supabase.co/auth/v1/token?grant_type=refresh_token' \
  -H "apikey: <anon-key>" \
  -H "Content-Type: application/json" \
  -d '{
    "refresh_token": "abc123..."
  }'

Required Headers

Every API request must include:

Row Level Security (RLS)

All database queries are automatically scoped by RLS policies. This means:

• Users can only access data within workspaces they belong to
• All queries must include the workspace_id filter for workspace-scoped tables
• The JWT token determines which workspaces the user has access to

Edge Function Authentication

Edge Functions use the same JWT token:

curl -X POST 'https://htavwovliunjkqnzknnj.supabase.co/functions/v1/<function-name>' \
  -H "Authorization: Bearer <access-token>" \
  -H "Content-Type: application/json" \
  -d '{ ... }'

The Edge Function validates the token server-side and extracts the user ID to enforce authorization.