Food Trace | Authentication

API Key + Automatic JWT Security

Why API keys?

Simple, stateless authentication
Per-user keys with configurable permissions
Compatible with server-to-server and backend integrations

Simple, stateless authentication
Issued per customer portal user with configurable permissions
Compatible with server-to-server and backend integrations

Step 1: Get Your API Key

Your API key identifies your application and provides access to the Food Trace API.

Sign in to Customer Portal or Contact Support

API keys are managed in your customer portal. If you need help, please contact support.

Step 2: Authenticated API Request & JWT

Send your API key with any protected endpoint. If a JWT is required or expired, a new one will be issued in the response:

curl -X GET https://api.example.com/v1/resource \
  -H "X-API-Key: your_api_key_here"

Response:

{
  "success": true,
  "data": { ... },
  "meta": { ... },
  "newJwtToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}

If an endpoint requires a JWT, include it in the Authorization header:

curl -X GET https://your-domain.com/api/your-endpoint \
  -H "X-API-Key: your_api_key_here" \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

Security Best Practices

Do This

✅ Store API keys securely (environment variables)
✅ Use HTTPS for all requests
✅ Implement token refresh logic
✅ Handle token expiration gracefully
✅ Log authentication events

Don't Do This

❌ Expose API keys in client-side code
❌ Store JWT tokens in localStorage
❌ Use HTTP for authentication
❌ Ignore token expiration
❌ Share API keys between environments

Why API keys?

Step 1: Get Your API Key

Step 2: Authenticated API Request & JWT

1. Make an Authenticated API Request

2. Use JWT Token for Further API Calls (if required)

Security Best Practices