Guide

Authentication

Identra uses two credentials and no ceremony: a publishable application id for the browser, and a secret API key for your server. End users get short-lived access tokens you verify locally.

Publishable application id

Browser / client SDKs

x-application-id

Identifies which application a request belongs to. Safe to ship in client code. Browser auth sends it with every request; the end-user access token lives in memory only.

Secret API key

Your server only

Authorization: Bearer identra_sk_…

Grants management access to an application's data. Shown once on creation, hashed at rest, never returned again. Never expose it in client code.

End-user access token

Issued to signed-in users

Authorization: Bearer <jwt>

An EdDSA-signed JWT minted on sign-in. Verify it locally with the cached JWKS — no network on the hot path. Carries sub, sid, aal, org, and org_role.

Management requests (server → Identra)

Server-to-server calls — creating users, listing sessions, managing keys — authenticate with a secret API key sent as a Bearer token, plus the x-application-id header that scopes the request to one application.

cURL
curl "http://localhost:8080/v1/api-keys" \
  -X POST \
  -H "x-application-id: $IDENTRA_APP_ID" \
  -H "Authorization: Bearer $IDENTRA_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "name": "production-backend", "scopes": ["admin"] }'

Verifying an end-user token

When a user signs in, Identra issues an EdDSA-signed access token. Your backend verifies it against the application's JWKS, which the server SDK caches — so verification is local and adds no latency to your hot path. Tokens are scoped to one application; a token from another tenant fails verification.

TypeScript
import { IdentraServer } from "@identra/node";

const identra = new IdentraServer({
  baseUrl: "http://localhost:8080",
  applicationId: process.env.IDENTRA_APP_ID!,
  apiKey: process.env.IDENTRA_API_KEY,   // only needed for management calls
});

// Verify an end-user token locally (cached JWKS, no network on the hot path):
const claims = await identra.verifyToken(req.headers.authorization ?? "");
// claims.sub · claims.sid · claims.aal · claims.org · claims.org_role

Trying requests from this reference

Every endpoint page has a Try it panel. Open Connection there (or the button in a panel header) and paste your base URL, application id, and a secret key. They're stored only in this browser's local storage and are sent solely as headers on requests you run — never to Identra's documentation. For the request to succeed, your dashboard origin must be in the API's CORS allowlist.