Skip to main content
SQR supports two authentication methods. Both use the same Authorization: Bearer header. API keys are 48-character hex strings. Create one from the dashboard or via the API. 
curl https://yys-sqr-render-bsbe.onrender.com/api/records \
  -H "Authorization: Bearer abc123def456..."

Create a key

Sign in to the Dashboard, go to API Keys, and click Create Key. Or use the API: 
curl -X POST https://yys-sqr-render-bsbe.onrender.com/api/keys \
  -H "Authorization: Bearer YOUR_SUPABASE_JWT" \
  -H "Content-Type: application/json" \
  -d '{"name": "production"}'
Creating and managing API keys requires a Supabase JWT — you cannot use an API key to create another API key.

Revoke a key

curl -X POST https://yys-sqr-render-bsbe.onrender.com/api/keys/3/revoke \
  -H "Authorization: Bearer YOUR_SUPABASE_JWT"

Supabase JWT

If you’re building a browser-based integration, use the Supabase JS client to get a session token: 
const { data: { session } } = await supabase.auth.getSession();
const token = session.access_token;

fetch('/api/records', {
  headers: { 'Authorization': `Bearer ${token}` }
});

Which endpoints require auth?

EndpointAuth required
GET /api/healthNo
GET /api/templatesNo
GET /api/records/:idNo
POST /api/records/:id/scanNo
POST /api/embedNo
POST /api/recordsYes
GET /api/recordsYes
PATCH /api/records/:idYes
POST /api/records/:id/mintYes
POST /api/records/:id/claimYes
POST /api/keysYes (JWT only)
GET /api/keysYes (JWT only)