Skip to content

Sending Authentication Tokens

SpartanAuth uses two types of credentials depending on who is making the request:

CredentialHeaderIssued toUse case
JWTAuthorization: Bearer <token>An end user (via the login widget)User-context requests from your frontend or backend
API keyX-API-Key: <key>Your backend serviceServer-to-server / admin operations

After a user logs in via the login widget, a JWT is stored in localStorage under the key spartan-token. Include it in every request your frontend makes to your own backend (which then verifies it) or directly to the SpartanAuth API for user-context operations like MFA registration or profile updates.

Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
async function apiFetch(path: string, options: RequestInit = {}) {
const token = localStorage.getItem('spartan-token');
return fetch(path, {
...options,
headers: {
'Content-Type': 'application/json',
...options.headers,
...(token ? { Authorization: `Bearer ${token}` } : {}),
},
});
}
Terminal window
curl https://api.spartanauth.com/api/v1/introspect \
-H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..." \
-H "Content-Type: application/json" \
-d '{"token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."}'

API keys are long-lived credentials intended for backend services performing administrative operations — creating users, listing sector data, managing settings, etc. They are sent in the X-API-Key header, which is checked before the Authorization header on every request.

X-API-Key: sprtk_4a7b3c...
Terminal window
curl https://api.spartanauth.com/api/v1/sectors/{sectorID}/users \
-H "X-API-Key: sprtk_4a7b3c..."
async function adminFetch(path: string, options: RequestInit = {}) {
return fetch(`https://api.spartanauth.com${path}`, {
...options,
headers: {
'Content-Type': 'application/json',
...options.headers,
'X-API-Key': process.env.SPARTAN_API_KEY!,
},
});
}
req, _ := http.NewRequest("GET", "https://api.spartanauth.com/api/v1/sectors/"+sectorID+"/users", nil)
req.Header.Set("X-API-Key", os.Getenv("SPARTAN_API_KEY"))
resp, err := http.DefaultClient.Do(req)

  • Use a JWT when the action is performed on behalf of a logged-in user (e.g. updating their profile, registering a passkey, submitting an OTP).
  • Use an API key when the action is performed by your backend service with no user involved (e.g. creating a user via invite, listing users for an admin dashboard, updating sector settings).
  • Some endpoints — like token introspection and Traefik ForwardAuth — are designed to be called from your backend and typically use whichever credential your backend has available.
  • Public endpoints (login, signup, password reset initiation) require no credential.