Authentication

sota.io supports two authentication methods: Supabase JWT tokens and API keys.

Supabase JWT

Used by the dashboard and CLI. Tokens are obtained through Supabase Auth (email/password).

curl https://api.sota.io/v1/projects \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..."

JWTs are validated using the Supabase shared secret (HS256). They contain the user ID and expire after 1 hour (auto-refreshed by Supabase SDK).

API Keys

Used for CI/CD pipelines, scripts, and MCP integration. API keys are prefixed with sota_ and stored as SHA-256 hashes.

curl https://api.sota.io/v1/projects \
  -H "Authorization: Bearer sota_a1b2c3d4e5f6..."

Creating an API Key

curl -X POST https://api.sota.io/v1/api-keys \
  -H "Authorization: Bearer <jwt>" \
  -H "Content-Type: application/json" \
  -d '{"name": "CI/CD Key"}'

Response:

{
  "data": {
    "id": "550e8400-e29b-41d4-a716-446655440000",
    "name": "CI/CD Key",
    "key": "sota_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2",
    "key_prefix": "sota_a1b2c3d4",
    "created_at": "2026-02-25T10:00:00Z"
  }
}

Important: The full key is only shown once at creation. Store it securely.

Key Management

See API Keys for listing and revoking keys.

Dual Authentication

The API middleware accepts both JWT and API key in the same Authorization: Bearer header. The server distinguishes between them by the sota_ prefix.