Sending Authentication Tokens
SpartanAuth uses two types of credentials depending on who is making the request:
| Credential | Header | Issued to | Use case |
|---|---|---|---|
| JWT | Authorization: Bearer <token> | An end user (via the login widget) | User-context requests from your frontend or backend |
| API key | X-API-Key: <key> | Your backend service | Server-to-server / admin operations |
JWT — user requests
Section titled “JWT — user requests”After a user logs in via the login widget, a JWT is stored in localStorage under the key spartan-token. Include it in every request your frontend makes to your own backend (which then verifies it) or directly to the SpartanAuth API for user-context operations like MFA registration or profile updates.
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...Frontend helper (TypeScript)
Section titled “Frontend helper (TypeScript)”async function apiFetch(path: string, options: RequestInit = {}) { const token = localStorage.getItem('spartan-token'); return fetch(path, { ...options, headers: { 'Content-Type': 'application/json', ...options.headers, ...(token ? { Authorization: `Bearer ${token}` } : {}), }, });}curl example
Section titled “curl example”curl https://api.spartanauth.com/api/v1/introspect \ -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..." \ -H "Content-Type: application/json" \ -d '{"token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."}'API key — server-to-server requests
Section titled “API key — server-to-server requests”API keys are long-lived credentials intended for backend services performing administrative operations — creating users, listing sector data, managing settings, etc. They are sent in the X-API-Key header, which is checked before the Authorization header on every request.
X-API-Key: sprtk_4a7b3c...curl example
Section titled “curl example”curl https://api.spartanauth.com/api/v1/sectors/{sectorID}/users \ -H "X-API-Key: sprtk_4a7b3c..."Node.js / fetch example
Section titled “Node.js / fetch example”async function adminFetch(path: string, options: RequestInit = {}) { return fetch(`https://api.spartanauth.com${path}`, { ...options, headers: { 'Content-Type': 'application/json', ...options.headers, 'X-API-Key': process.env.SPARTAN_API_KEY!, }, });}Go example
Section titled “Go example”req, _ := http.NewRequest("GET", "https://api.spartanauth.com/api/v1/sectors/"+sectorID+"/users", nil)req.Header.Set("X-API-Key", os.Getenv("SPARTAN_API_KEY"))resp, err := http.DefaultClient.Do(req)Which credential to use
Section titled “Which credential to use”- Use a JWT when the action is performed on behalf of a logged-in user (e.g. updating their profile, registering a passkey, submitting an OTP).
- Use an API key when the action is performed by your backend service with no user involved (e.g. creating a user via invite, listing users for an admin dashboard, updating sector settings).
- Some endpoints — like token introspection and Traefik ForwardAuth — are designed to be called from your backend and typically use whichever credential your backend has available.
- Public endpoints (login, signup, password reset initiation) require no credential.