Guide
Authentication
Identra uses two credentials and no ceremony: a publishable application id for the browser, and a secret API key for your server. End users get short-lived access tokens you verify locally.
Publishable application id
Browser / client SDKs
x-application-id Identifies which application a request belongs to. Safe to ship in client code. Browser auth sends it with every request; the end-user access token lives in memory only.
Secret API key
Your server only
Authorization: Bearer identra_sk_… Grants management access to an application's data. Shown once on creation, hashed at rest, never returned again. Never expose it in client code.
End-user access token
Issued to signed-in users
Authorization: Bearer <jwt> An EdDSA-signed JWT minted on sign-in. Verify it locally with the cached JWKS — no network on the hot path. Carries sub, sid, aal, org, and org_role.
Management requests (server → Identra)
Server-to-server calls — creating users, listing sessions, managing keys — authenticate with a secret API key
sent as a Bearer token, plus the x-application-id header that scopes the request to one application.
curl "http://localhost:8080/v1/api-keys" \
-X POST \
-H "x-application-id: $IDENTRA_APP_ID" \
-H "Authorization: Bearer $IDENTRA_API_KEY" \
-H "Content-Type: application/json" \
-d '{ "name": "production-backend", "scopes": ["admin"] }'Verifying an end-user token
When a user signs in, Identra issues an EdDSA-signed access token. Your backend verifies it against the application's JWKS, which the server SDK caches — so verification is local and adds no latency to your hot path. Tokens are scoped to one application; a token from another tenant fails verification.
import { IdentraServer } from "@identra/node";
const identra = new IdentraServer({
baseUrl: "http://localhost:8080",
applicationId: process.env.IDENTRA_APP_ID!,
apiKey: process.env.IDENTRA_API_KEY, // only needed for management calls
});
// Verify an end-user token locally (cached JWKS, no network on the hot path):
const claims = await identra.verifyToken(req.headers.authorization ?? "");
// claims.sub · claims.sid · claims.aal · claims.org · claims.org_roleTrying requests from this reference
Every endpoint page has a Try it panel. Open Connection there (or the button in a panel header) and paste your base URL, application id, and a secret key. They're stored only in this browser's local storage and are sent solely as headers on requests you run — never to Identra's documentation. For the request to succeed, your dashboard origin must be in the API's CORS allowlist.