Authentication
All protected API routes require a Bearer token in the Authorization header:
Authorization: Bearer <accessToken>Current token model
The production app uses Clerk for user identity and API requests carry an app-issued JWT-compatible bearer token. This is the session credential used by the dashboard and first-party clients.
For server-to-server integrations, use a scoped, organization-owned API key instead — see the Public Developer API. API keys are minted from the dashboard, carry explicit scopes, and are rate-limited per key.
curl https://api.vitae.ai/v1/auth/verify \
-H "Authorization: Bearer <accessToken>"Successful response:
{
"status": "OK"
}Account actions
Authenticated users can manage their account email:
| Endpoint | Method | Description |
|---|---|---|
/v1/auth/verify | GET | Verify the bearer token |
/v1/auth/logout | DELETE | Clear the current token |
/v1/auth/change-email | POST | Request an email change |
/v1/auth/change-email/confirm | POST | Confirm an email change |
/v1/auth/change-email/resend | POST | Resend the confirmation code |
Clerk
The app also supports Clerk-backed sessions. Clerk webhooks keep Vitae.ai user records synchronized.
Enterprise SSO
Enterprise SSO is configured per organization. Contact your account team for tenant setup.
API keys
The public API supports organization-scoped API keys, presented as Authorization: Bearer vit_<prefix>_<secret> (or via the X-API-Key header), with the same response and error envelope as app tokens. Keys carry explicit scopes and a per-key rate limit, and are minted and rotated from the dashboard. See the Public Developer API for the full key model, scopes, and endpoints, and Outbound Webhooks for event subscriptions.
Security
- Always use HTTPS
- Never expose organization tokens in client-side code
- Scope tokens to the minimum organization and role required
- Rotate tokens when team members or vendors lose access