Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/egeuysall/ryva-archive/llms.txt

Use this file to discover all available pages before exploring further.

Overview

The Ryva API uses JWT (JSON Web Tokens) for authentication, powered by Supabase Auth. Most endpoints require a valid JWT token in the request headers.

Authentication Flow

  1. User signs up or logs in through Supabase Auth
  2. Supabase returns a JWT access token
  3. Include the token in the Authorization header for API requests
  4. The API validates the token with Supabase

Getting a Token

Tokens are obtained through Supabase Auth. Here’s an example using the Supabase client: 
import { createClient } from '@supabase/supabase-js'

const supabase = createClient(
  'https://your-project.supabase.co',
  'your-anon-key'
)

// Sign up
const { data, error } = await supabase.auth.signUp({
  email: 'user@example.com',
  password: 'secure-password'
})

// Sign in
const { data, error } = await supabase.auth.signInWithPassword({
  email: 'user@example.com',
  password: 'secure-password'
})

// Access token
const token = data.session.access_token

Making Authenticated Requests

Include the JWT token in the Authorization header with the Bearer scheme: 
curl https://api.ryva.com/v1/auth/me \
  -H "Authorization: Bearer YOUR_JWT_TOKEN"

Token Validation

The API validates tokens by:
  1. Verifying the JWT signature using the Supabase JWT secret
  2. Checking token expiration
  3. Extracting user information from the token claims

Authentication Errors

Missing Token

{
  "error": {
    "message": "Missing authorization header",
    "code": "UNAUTHORIZED",
    "status": 401
  }
}

Invalid Token

{
  "error": {
    "message": "Invalid or expired token",
    "code": "UNAUTHORIZED",
    "status": 401
  }
}

Insufficient Permissions

{
  "error": {
    "message": "You don't have permission to access this resource",
    "code": "FORBIDDEN",
    "status": 403
  }
}

Token Lifecycle

Token Expiration

JWT tokens expire after a certain period (default: 1 hour). When a token expires, you’ll receive a 401 error.

Refreshing Tokens

Use Supabase’s refresh token mechanism to get a new access token: 
const { data, error } = await supabase.auth.refreshSession()
const newToken = data.session.access_token

Revoking Tokens

Sign out to revoke the current session: 
await supabase.auth.signOut()

Public Endpoints

Some endpoints don’t require authentication:
  • GET /health - Health check
  • POST /v1/waitlist - Join waitlist
  • POST /v1/billing/webhooks/stripe - Stripe webhooks (verified by signature)

User Context

Authenticated requests automatically include user context:
  • User ID: Extracted from the JWT sub claim
  • Email: Extracted from the JWT email claim
  • Roles: Determined by organization membership
The API uses this context to:
  • Verify resource ownership
  • Enforce role-based access control
  • Audit actions

Security Best Practices

Never expose your JWT tokens in client-side code, logs, or version control.
  1. Store tokens securely: Use secure storage mechanisms (e.g., httpOnly cookies, secure storage APIs)
  2. Use HTTPS: Always make API requests over HTTPS in production
  3. Implement token refresh: Refresh tokens before they expire
  4. Handle errors gracefully: Catch authentication errors and prompt users to re-authenticate
  5. Rotate secrets: Regularly rotate your Supabase JWT secret

Next Steps

Auth Endpoints

Manage user profiles and preferences

Organizations

Create and manage organizations

Build docs developers (and LLMs) love

Get started for freeTalk to us