Authentication
All Scriptix API requests require authentication using Bearer tokens.
Authentication Methods
Scriptix supports two authentication methods:
- JWT Session Tokens - For web application access (user login)
- API Access Tokens - For programmatic API access (batch processing, integrations)
User Authentication (JWT Tokens)
Login Flow
Standard Login:
POST https://api.scriptix.io/api/v3/auth/login?login_type=token
Content-Type: application/x-www-form-urlencoded
username=user@example.com&password=yourpassword&remember_me=true
Response:
{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"login": true,
"mfa_required": false,
"session_id": "abc123",
"signature": "xyz789"
}
Multi-Factor Authentication (MFA)
If MFA is enabled, login requires a second step:
POST https://api.scriptix.io/api/v3/auth/login/mfa?login_type=token
Content-Type: application/x-www-form-urlencoded
username=user@example.com&password=yourpassword&totp_code=123456
Or with backup code:
username=user@example.com&password=yourpassword&backup_code=ABCD-EFGH-IJKL
Microsoft SSO
GET https://api.scriptix.io/api/v3/auth/login/microsoft?redirect_uri=https://yourapp.com/callback
The token is returned as a URL parameter in the redirect.
API Access Tokens
Create API Token
For programmatic access (batch processing, integrations), create an API token:
POST https://api.scriptix.io/api/v3/tokens
Authorization: Bearer YOUR_JWT_TOKEN
Content-Type: application/json
{
"name": "Batch Processing Token",
"type": "batch"
}
Response:
{
"id": 123,
"name": "Batch Processing Token",
"key": "token_abc123def456...",
"type": "batch",
"created_at": "2025-01-17T10:00:00Z"
}
⚠️ The key value is only shown once. Store it securely immediately.
List API Tokens
GET https://api.scriptix.io/api/v3/tokens?offset=0&limit=25
Authorization: Bearer YOUR_JWT_TOKEN
Delete API Token
DELETE https://api.scriptix.io/api/v3/tokens/{tokenId}
Authorization: Bearer YOUR_JWT_TOKEN
Using Bearer Tokens
Authorization Header
Include your token in the Authorization header with Bearer scheme:
Authorization: Bearer YOUR_TOKEN
Examples
cURL
curl https://api.scriptix.io/api/v3/account/me \
-H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
Python
import requests
headers = {
"Authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}
response = requests.get(
"https://api.scriptix.io/api/v3/account/me",
headers=headers
)
JavaScript
const headers = {
'Authorization': 'Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...'
};
fetch('https://api.scriptix.io/api/v3/account/me', { headers })
.then(response => response.json())
.then(data => console.log(data));
TypeScript
const token = process.env.SCRIPTIX_TOKEN;
const headers = new Headers({
'Authorization': `Bearer ${token}`
});
const response = await fetch('https://api.scriptix.io/api/v3/account/me', {
headers
});
Security Best Practices
1. Never Expose API Keys
❌ Don't:
- Commit keys to version control
- Hardcode keys in source code
- Expose keys in client-side code
- Share keys in public forums
- Log keys in application logs
✅ Do:
- Use environment variables
- Store in secure vaults (AWS Secrets Manager, etc.)
- Rotate keys regularly
- Use separate keys for dev/production
2. Use Environment Variables��
# .env file (add to .gitignore)
SCRIPTIX_API_KEY=sk_live_abc123...
# Python
import os
API_KEY = os.environ.get('SCRIPTIX_API_KEY')
// Node.js
const API_KEY = process.env.SCRIPTIX_API_KEY;
3. Rotate Keys Regularly
Rotate API keys every 90 days or immediately if compromised:
- Create new API key
- Update applications with new key
- Test thoroughly
- Delete old key
4. Use Key Naming
Name keys descriptively to track usage:
production-web-appstaging-servermobile-app-iosdev-local-testing
5. Restrict Key Permissions
Enterprise plans can restrict keys to specific:
- IP addresses
- API endpoints
- Rate limits
Managing Multiple Keys
Use Case-Specific Keys
Create separate keys for different use cases:
# config.py
PRODUCTION_API_KEY = os.environ.get('SCRIPTIX_PROD_KEY')
STAGING_API_KEY = os.environ.get('SCRIPTIX_STAGING_KEY')
TEST_API_KEY = os.environ.get('SCRIPTIX_TEST_KEY')
# Use appropriate key based on environment
def get_api_key():
env = os.environ.get('ENVIRONMENT', 'development')
if env == 'production':
return PRODUCTION_API_KEY
elif env == 'staging':
return STAGING_API_KEY
else:
return TEST_API_KEY
Team Collaboration
For teams, create per-user or per-service keys:
john-dev-key- John's development keybackend-service-key- Backend service keymobile-app-key- Mobile application key
This enables tracking and revocation without affecting other team members.
Authentication Errors
401 Unauthorized
Missing API key:
{
"error": "Unauthorized",
"message": "Missing API key",
"error_code": "MISSING_API_KEY"
}
Solution: Include Authorization header.
Invalid API key:
{
"error": "Unauthorized",
"message": "Invalid API key",
"error_code": "INVALID_API_KEY"
}
Solution: Check key is correct and not revoked.
Expired API key:
{
"error": "Unauthorized",
"message": "API key has been revoked",
"error_code": "KEY_REVOKED"
}
Solution: Create new API key.
403 Forbidden
Insufficient permissions:
{
"error": "Forbidden",
"message": "API key does not have permission for this operation",
"error_code": "INSUFFICIENT_PERMISSIONS"
}
Solution: Use key with appropriate permissions or upgrade plan.
Key Management via API
List API Keys
GET /api/v3/api-keys
curl https://api.scriptix.io/api/v3/api-keys \
-H "Authorization: Bearer YOUR_API_KEY"
Response:
{
"result": [
{
"id": 123,
"name": "production-web-app",
"key_prefix": "sk_live_abc1",
"created_at": "2025-01-01T10:00:00Z",
"last_used_at": "2025-01-17T14:30:00Z",
"status": "active"
}
]
}
Create API Key
POST /api/v3/api-keys
curl -X POST https://api.scriptix.io/api/v3/api-keys \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"name": "new-service-key", "type": "live"}'
Response:
{
"id": 124,
"name": "new-service-key",
"key": "sk_live_xyz789...",
"key_prefix": "sk_live_xyz7",
"created_at": "2025-01-17T15:00:00Z"
}
⚠️ Save the key value immediately - it won't be shown again.
Revoke API Key
DELETE /api/v3/api-keys/{id}
curl -X DELETE https://api.scriptix.io/api/v3/api-keys/123 \
-H "Authorization: Bearer YOUR_API_KEY"
Testing Authentication
Verify API Key
Test your API key with a simple request:
curl https://api.scriptix.io/api/v3/me \
-H "Authorization: Bearer YOUR_API_KEY"
Success response:
{
"id": 456,
"email": "user@example.com",
"organization": "Acme Corp",
"plan": "Gold"
}
Test Key Validation
import requests
def validate_api_key(api_key):
"""Validate API key by testing authentication."""
try:
response = requests.get(
'https://api.scriptix.io/api/v3/me',
headers={'Authorization': f'Bearer {api_key}'}
)
if response.status_code == 200:
print("✓ API key is valid")
return True
elif response.status_code == 401:
print("✗ API key is invalid")
return False
else:
print(f"✗ Unexpected response: {response.status_code}")
return False
except Exception as e:
print(f"✗ Error validating key: {e}")
return False
# Usage
validate_api_key("sk_live_abc123...")
Rate Limiting
API keys are subject to rate limits based on your plan. See Rate Limits for details.
Each API response includes rate limit headers:
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1642089600
Migration from Legacy Authentication
If you're using legacy authentication methods:
OAuth 2.0 (Deprecated)
OAuth 2.0 is deprecated. Migrate to API keys:
# Old (OAuth)
headers = {'Authorization': f'Bearer {oauth_token}'}
# New (API Key)
headers = {'Authorization': f'Bearer {api_key}'}
Session Tokens (Deprecated)
Session tokens are no longer supported. Use API keys for all API access.
Next Steps
- API Overview - Learn about available APIs
- Rate Limits - Understand rate limiting
- Error Codes - Handle authentication errors
Security tip: Treat API keys like passwords. Never share them publicly.