Authentication
VinMake uses Supabase Auth with JWT (JSON Web Tokens) for secure API access. All API endpoints (except/auth/login) require authentication.
Authentication Flow
1
Login
Send your email and password to
/auth/login to receive an access token2
Store Token
Save the
access_token securely (never commit to version control)3
Include in Requests
Add the token to the
Authorization header for all API calls4
Refresh When Expired
Re-authenticate when you receive a
401 Unauthorized responseLogin Endpoint
Endpoint:POST /auth/login
Content-Type: application/x-www-form-urlencoded
Request Body:
Use the field name
username even though the value is an email address. This follows OAuth2 password flow conventions.Using the Access Token
Include the token in theAuthorization header with the Bearer scheme:
Token Expiration
- Lifetime: 1 hour (3600 seconds)
- Refresh Strategy: Re-authenticate when you receive a
401response - Best Practice: Implement automatic token refresh in your client
Role-Based Access Control
VinMake has three user roles, each with different permissions:Client Role
Access Level: Limited- Can only view and manage their own data
- Cannot access other clients’ information
- Cannot perform admin operations
Staff Role
Access Level: Standard- Full CRUD access to most resources (materials, BOMs, production orders, etc.)
- Can view all clients’ data
- Cannot manage users or system-wide settings
Admin Role
Access Level: Full- Complete access to all resources
- Can manage users and permissions
- Can access system administration endpoints (API keys, webhooks, etc.)
- Can perform backups and other privileged operations
Authorization Errors
When you don’t have permission to access a resource: Response (403 Forbidden):Password Reset
Endpoint:POST /api/v1/auth/reset-password-request
Request a password reset email:
This sends a password reset email via Supabase Auth. Follow the link in the email to set a new password.
Security Best Practices
Never commit tokens to version control
Never commit tokens to version control
Store credentials in environment variables or secure vaults:
Use HTTPS only
Use HTTPS only
All VinMake API endpoints use HTTPS. Never send credentials over HTTP.
Implement token refresh logic
Implement token refresh logic
Don’t wait for a
401 error in the middle of a critical operation. Proactively refresh tokens before they expire:Rotate credentials regularly
Rotate credentials regularly
Change your password periodically, especially if:
- You suspect credentials have been compromised
- A team member with access leaves the company
- Tokens were accidentally logged or exposed
Use API keys for automation
Use API keys for automation
For scripts and integrations, consider using API keys (managed via
/api/v1/api-keys endpoint) instead of user passwords. API keys can be:- Revoked without changing user passwords
- Scoped to specific permissions
- Monitored independently
API Keys (Alternative to User Auth)
For automation and integrations, VinMake supports API keys: Create an API Key:Testing Authentication
Use these test endpoints to verify your authentication and check your role: Test Client Role:200 OK only if you have the required role level or higher.
Example: Python Client with Auto-Refresh
Here’s a complete example of a Python client with automatic token refresh:Troubleshooting
403 Forbidden - Insufficient permissions
403 Forbidden - Insufficient permissions
Solution: Your user role doesn’t have access to this endpoint. Contact an admin to upgrade your permissions, or use an account with appropriate role.
Next Steps
Quickstart
Make your first authenticated API call
API Reference
Explore the API reference inside Mintlify