Skip to main content

API Authentication

All API traffic is HTTPS to https://api.qefro.com. Qefro uses different credentials for different trust boundaries — do not reuse an Owner JWT inside the public website.

Short definition (citation-ready)

Qefro authenticates Admin Console and Internal Portal callers with user JWTs, the website widget with a publishable widget token, Business Tools with optional end-user headers (X-End-User-Token / X-End-User-Session), and platform operators with Super Admin credentials.

Credential matrix

ClientCredentialHow it is sent
Admin Console / Internal Portal / most RESTUser JWTAuthorization: Bearer <user_jwt>
GraphQL (POST /graphql)User JWTSame Bearer header
Website Widget (HTTP + WS)Widget tokenAuthorization: Bearer <widget_token> or WS ?token=
Business Tools (end user)End-user JWT or sessionX-End-User-Token and/or X-End-User-Session
Super AdminAdmin JWTFrom POST /api/v1/admin/auth/login
Metrics (optional)METRICS_AUTH_TOKENAuthorization: Bearer … when not public

Platform conceptual overview: Platform Authentication.

Architecture

1. User JWT (members & admins)

Signup, login, OTP verification, and password reset are primarily exposed through GraphQL on POST /graphql (Admin Console). After login you receive a Bearer JWT scoped to a tenant and role (owner / admin / member).

# Example: call a REST route with a console user JWT
curl -sS -H "Authorization: Bearer $USER_JWT" \
https://api.qefro.com/api/v1/billing/plans
await fetch('https://api.qefro.com/graphql', {
method: 'POST',
headers: {
Authorization: `Bearer ${userJwt}`,
'Content-Type': 'application/json',
},
body: JSON.stringify({query: '{ __typename }'}),
});

Session management

MethodPathPurpose
GET/api/v1/me/sessionsList your sessions
DELETE/api/v1/me/sessions/:jtiRevoke a session (jti)
GET/api/v1/org/members/:id/sessionsAdmin: list member sessions
DELETE/api/v1/org/members/:id/sessions/:jtiAdmin: revoke member session

JWTs are revocable via session jti stored server-side (Redis-backed).

2. Widget token (Customer AI)

The widget token is a publishable channel key created with the organization. It authenticates the embed — not an end user.

SurfaceAuth
GET /widget.jsPublic script
GET /ws/chat?token=…Widget token query param
POST /api/v1/widget/*Bearer widget token (and/or handler-specific rules)

Rotate via Admin Console / GraphQL rotate_widget_token after incidents. Never confuse it with CRM admin secrets.

3. End-user identity (Business Tools)

When the assistant must call your API as a logged-in shopper/user, the host app calls widget identify(), and Qefro forwards:

HeaderMeaning
X-End-User-TokenEnd-user JWT from your IdP/app
X-End-User-SessionOpaque session string your API understands

Your API must authorize the end user. Qefro’s tool secret alone must not imply “act as anyone.” Details: Identity Forwarding.

4. Super Admin

POST/api/v1/admin/auth/login

Platform operator login. Returns an admin JWT for /api/v1/admin/* routes — not for tenant day-to-day use.

Tenant Admins cannot call Super Admin APIs.

5. Public / unauthenticated routes

These do not use a user JWT:

PathNotes
GET /health, GET /readyLiveness / readiness
GET /api/v1/public/tenant-brandingPortal chrome
GET /api/v1/public/tenant-slug-availableSignup helper
GET /chat/:tenant_slugPublic chat page
POST /api/v1/billing/webhookRazorpay signature
GET|POST /api/v1/whatsapp/webhookMeta verify + inbound

Workflow

Call the API safely

  1. Pick the credentialUser JWT vs widget token vs admin.
  2. Send Bearer over HTTPS onlyNo tokens in query strings for Admin APIs.
  3. Handle 401/403Refresh session or check RBAC/Teams.
  4. Revoke on logout/incidentDELETE /me/sessions/:jti.
  5. Forward end-user headers for toolsOnly when identify() is in play.

Best practices

  • Prefer memory / httpOnly cookie patterns appropriate to each client (Admin Console vs your site)
  • Rotate widget tokens after staff changes or embed leaks that enable abuse
  • Use least-privilege Members for Employee AI; keep Owner count small
  • Never commit JWTs, widget tokens, or Meta/Razorpay secrets to git

FAQ

Is there a long-lived tenant API key product?
Automation today uses user JWTs from tightly scoped service accounts/console sessions. Prefer short-lived tokens and session revocation.
Why 401 on org RBAC routes with a widget token?
Org RBAC routes under /api/v1/org/ require a user JWT. Widget tokens are only for widget HTTP routes and /ws/chat.
Are auth endpoints rate limited?
Yes — login/OTP/signup paths use Redis-backed abuse controls. See Rate Limits.