Persmissions

All Hyperspell API requests are authenticated using a Bearer token. There are two types of tokens:

App Token

Secret token that allow you to perform any action for any user. Never share this token with anyone. This is meant to be used in a server-side environment.

User Token

These are JWTs that are issued specifically for a user of your app, and restricts which data they can access and which actions they can perform.

When you create documents or collections with an app token, they are accessible by all users of your app. Conversly, documents and collections created with a user token are only accessible to the specific user that the token was issued to.

Likewise, when using an app token, you can query data from all users. That’s why it is important to keep the app token secret.

Generating Tokens

You can generate app tokens on the Dashboard. Tokens are only visilbe once, so make sure to save them in a secure location.

To obtain a user token, use the auth/user_token endpoint or the SDK and pass the ID of your user:

curl --request POST \
  --url https://api.hyperspell.com/auth/user_token \
  --header 'Authorization: Bearer YOUR_APP_TOKEN' \
  --header 'Content-Type: application/json'

See the API Reference for more information and usage examples. The auth/user_token endopint is the only endpoint that is only accessible with an app token. If you do not use a backend to generate user tokens, or use a service like Clerk or Auth0 to manage your users, you can also configure them to provide a user token to your frontend.

IntegrationThird-party authentication