Skip to main content

Overview

Adminest uses Auth0 for authentication. API requests require a valid JWT bearer token obtained through the Auth0 authentication flow.

Getting a Token

For Web Applications

Use the Auth0 SDK to authenticate users and obtain tokens: 
import { useAuth0 } from '@auth0/auth0-react';

const { getAccessTokenSilently } = useAuth0();

const token = await getAccessTokenSilently({
  authorizationParams: {
    audience: 'https://adminest-api'
  }
});

Auth0 Configuration

ParameterValue
Domainauth0.adminest.com
Audiencehttps://adminest-api
Scopeopenid profile email

Using the Token

Include the token in the Authorization header: 
curl -X GET https://api.adminest.com/api/documents \
  -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6..."

Token Structure

The JWT contains:

Token Expiration

Tokens expire after 24 hours. Use getAccessTokenSilently() to automatically refresh tokens.

Error Responses

401 Unauthorized

{
  "error": "Unauthorized",
  "message": "Invalid or expired token"
}
Common causes:
  • Token is expired
  • Token is malformed
  • Token was issued for wrong audience

403 Forbidden

{
  "error": "Forbidden",
  "message": "Insufficient permissions"
}
Common causes:
  • User doesn’t have access to the resource
  • Feature not available for user’s plan

Security Best Practices

Never Expose Tokens

Don’t include tokens in URLs or log them

Use HTTPS

Always use HTTPS for API requests

Refresh Tokens

Use token refresh rather than long-lived tokens

Validate on Server

Always validate tokens server-side