Sentinel uses Supabase as its identity provider. Every API request to a protected endpoint must carry a valid Supabase JSON Web Token (JWT) in theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/nicolas344/Sentinel-SoftServe/llms.txt
Use this file to discover all available pages before exploring further.
Authorization header. The backend validates the token signature, extracts the caller’s identity, and attaches it to audit fields such as approved_by on actions. This page explains how to obtain a token, how the backend validates it, and how the separate webhook secret works for the Alertmanager integration.
Protected vs. Open Endpoints
| Endpoint | Auth required |
|---|---|
All /api/incidents/* endpoints | ✅ Bearer JWT |
POST /api/execute-action | ✅ Bearer JWT |
POST /api/incidents/{id}/reject | ✅ Bearer JWT |
POST /api/incidents/{id}/postpone | ✅ Bearer JWT |
POST /api/alerts | ❌ Webhook secret (see below) |
GET /api/health | ❌ Open |
GET /health | ❌ Open |
Authorization Header Format
Pass the Supabase access token as a Bearer credential on every protected request:401 Unauthorized with the body:
Obtaining a Token
Supabase issues JWTs when a user authenticates with email and password. Use the official Supabase client library or the Supabase Auth REST API directly.- Python (supabase-py)
- JavaScript (supabase-js)
- cURL (REST)
access_token (the JWT), refresh_token, and expiry information. Use access_token in the Authorization header.
Using the Token
- cURL
- Python (requests)
- JavaScript (fetch)
JWT Validation Algorithms
Sentinel’sauth.py supports both JWT signing algorithms used by Supabase:
| Algorithm | When used | Validation method |
|---|---|---|
HS256 | Self-hosted / older Supabase projects | SUPABASE_JWT_SECRET environment variable |
ES256 | Supabase Cloud (newer projects) | Public key fetched from {SUPABASE_URL}/auth/v1/.well-known/jwks.json and cached in-process |
alg field in the JWT header and selects the appropriate validation path automatically. Audience (aud) verification is disabled to accommodate both service-role and anon-role tokens.
Set the
SUPABASE_JWT_SECRET environment variable on the backend for HS256 token support. For ES256 (Supabase Cloud), the backend fetches the JWKS endpoint automatically using SUPABASE_URL.JWT Payload Fields
The decoded JWT payload provides two fields that Sentinel uses internally:| Field | Type | Usage |
|---|---|---|
sub | string | Supabase user UUID; used as fallback identity |
email | string | Human-readable identity; preferred for approved_by audit field |
email (or sub if email is absent) is recorded in the incident’s approved_by field.
Alerts Webhook Secret
ThePOST /api/alerts endpoint does not use Supabase JWTs. Instead it uses a shared secret configured via the ALERT_WEBHOOK_SECRET environment variable. Alertmanager sends this secret as a Bearer token in the same Authorization header format:
ALERT_WEBHOOK_SECRET using a constant-time HMAC digest comparison (hmac.compare_digest) to prevent timing attacks.
See the Alerts page for Alertmanager configuration examples.