Skip to main content
All API requests require a valid Bearer token in the Authorization header. Tokens are issued by Supabase Auth and tied to the authenticated user’s session.

Getting a token

Authenticate with Supabase Auth to obtain an access token. The exact method depends on your authentication flow (email/password, magic link, OAuth, etc.). 
import { createClient } from "@supabase/supabase-js";

const supabase = createClient(
  "https://<project-ref>.supabase.co",
  "<anon-key>"
);

// Sign in (email/password example)
const { data, error } = await supabase.auth.signInWithPassword({
  email: "user@example.com",
  password: "your-password",
});

// Get the access token from the session
const accessToken = data.session?.access_token;

Making authenticated requests

Include the token in the Authorization header as a Bearer token: 
import { ApiService } from "@/services/api/ApiService";

// ApiService handles token retrieval automatically
const genies = await ApiService.invoke({
  resource: "genies",
  action: "all",
});

Token expiry

Supabase access tokens expire after a set duration (typically 1 hour). The Supabase client library handles token refresh automatically when using supabase.auth.getSession() or supabase.auth.onAuthStateChange(). If you manage tokens manually, watch for UNAUTHORIZED or INVALID_TOKEN errors and refresh the session: 
const { data, error } = await supabase.auth.refreshSession();
const newToken = data.session?.access_token;
Do not hard-code access tokens. They are short-lived and tied to individual user sessions. Always retrieve fresh tokens from the Supabase Auth session.

Authentication errors

Error codeHTTP statusDescription
UNAUTHORIZED401The Authorization header is missing or does not contain a Bearer token.
INVALID_TOKEN401The token is malformed, expired, or has been revoked.
Both errors return the standard error envelope: 
{
  "success": false,
  "error": {
    "code": "UNAUTHORIZED",
    "message": "Missing or invalid Authorization header",
    "status": 401
  }
}
See Error handling for the complete error reference.