Skip to main content

Authentication

VinMake uses Supabase Auth with JWT (JSON Web Tokens) for secure API access. All API endpoints (except /auth/login) require authentication.

Authentication Flow

1

Login

Send your email and password to /auth/login to receive an access token
2

Store Token

Save the access_token securely (never commit to version control)
3

Include in Requests

Add the token to the Authorization header for all API calls
4

Refresh When Expired

Re-authenticate when you receive a 401 Unauthorized response

Login Endpoint

Endpoint: POST /auth/login Content-Type: application/x-www-form-urlencoded Request Body:
Use the field name username even though the value is an email address. This follows OAuth2 password flow conventions.
Example Request:
Success Response (200):
Error Response (401):

Using the Access Token

Include the token in the Authorization header with the Bearer scheme:

Token Expiration

  • Lifetime: 1 hour (3600 seconds)
  • Refresh Strategy: Re-authenticate when you receive a 401 response
  • Best Practice: Implement automatic token refresh in your client
Access tokens expire after 1 hour. There is currently no refresh token mechanism — you must re-authenticate with your email and password.

Role-Based Access Control

VinMake has three user roles, each with different permissions:

Client Role

Access Level: Limited
  • Can only view and manage their own data
  • Cannot access other clients’ information
  • Cannot perform admin operations
Typical Use Case: External customers who need read-only access to their orders and invoices

Staff Role

Access Level: Standard
  • Full CRUD access to most resources (materials, BOMs, production orders, etc.)
  • Can view all clients’ data
  • Cannot manage users or system-wide settings
Typical Use Case: VinMake team members working on production, procurement, or operations

Admin Role

Access Level: Full
  • Complete access to all resources
  • Can manage users and permissions
  • Can access system administration endpoints (API keys, webhooks, etc.)
  • Can perform backups and other privileged operations
Typical Use Case: VinMake founders, CTO, system administrators

Authorization Errors

When you don’t have permission to access a resource: Response (403 Forbidden):
Response (401 Unauthorized):

Password Reset

Endpoint: POST /api/v1/auth/reset-password-request Request a password reset email:
This sends a password reset email via Supabase Auth. Follow the link in the email to set a new password.

Security Best Practices

Store credentials in environment variables or secure vaults:
All VinMake API endpoints use HTTPS. Never send credentials over HTTP.
Don’t wait for a 401 error in the middle of a critical operation. Proactively refresh tokens before they expire:
Change your password periodically, especially if:
  • You suspect credentials have been compromised
  • A team member with access leaves the company
  • Tokens were accidentally logged or exposed
For scripts and integrations, consider using API keys (managed via /api/v1/api-keys endpoint) instead of user passwords. API keys can be:
  • Revoked without changing user passwords
  • Scoped to specific permissions
  • Monitored independently

API Keys (Alternative to User Auth)

For automation and integrations, VinMake supports API keys: Create an API Key:
Use an API Key:
API keys are ideal for:
  • CI/CD pipelines
  • Scheduled scripts
  • Third-party integrations
  • Service accounts
Revoke an API Key:

Testing Authentication

Use these test endpoints to verify your authentication and check your role: Test Client Role:
Test Staff Role:
Test Admin Role:
Each endpoint returns 200 OK only if you have the required role level or higher.

Example: Python Client with Auto-Refresh

Here’s a complete example of a Python client with automatic token refresh:

Troubleshooting

Solution: Re-authenticate to get a fresh token. Implement automatic refresh logic to prevent this.
Solution: Double-check your email and password. Ensure you’re using the correct account.
Solution: Your user role doesn’t have access to this endpoint. Contact an admin to upgrade your permissions, or use an account with appropriate role.
Solution: Ensure you’re including the header in every request:

Next Steps

Quickstart

Make your first authenticated API call

API Reference

Explore the API reference inside Mintlify