Skip to content
IndepAI API Docs

Authentication

Most IndepAI API endpoints require authentication. We use Supabase for authentication, which provides JWT tokens for API access.

Public vs Authenticated Endpoints

Section titled “Public vs Authenticated Endpoints”

Public Endpoints (No Auth Required)

Section titled “Public Endpoints (No Auth Required)”

These endpoints can be used without authentication, but have stricter rate limits:

  • POST /api/v1/calculator - FI Timeline Calculator
  • POST /api/v1/portfolio-health - Portfolio Health Score
  • GET /api/v1/geo/cities - City list
  • GET /api/v1/status - API health check

Authenticated Endpoints

Section titled “Authenticated Endpoints”

All other endpoints require a valid JWT token:

  • All /api/v1/assets/* endpoints
  • All /api/v1/user/* endpoints
  • POST /api/v1/geo/recommendations
  • All /api/v1/features/* endpoints

Getting a Token

Section titled “Getting a Token”

Option 1: Web App (Supabase Session)

Section titled “Option 1: Web App (Supabase Session)”

If you’re building a web app, authentication is handled via Supabase session cookies. After signing in through the IndepAI web app, your session token is included automatically in API requests.

Option 2: API Key (MCP and Integrations)

Section titled “Option 2: API Key (MCP and Integrations)”

For programmatic access (including MCP connections and server-to-server communication), use a Bearer token with the iai_ prefix:

Terminal window
curl https://indepai.app/api/v1/fi-score \
  -H "Authorization: Bearer iai_your_api_key_here"

API keys can be generated from your account settings at indepai.app/dashboard/settings.

Using the Token

Section titled “Using the Token”

Include the token in the Authorization header:

Terminal window
curl https://indepai.app/api/v1/assets \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

JavaScript/TypeScript

Section titled “JavaScript/TypeScript”
const response = await fetch("https://indepai.app/api/v1/assets", {
  headers: {
    Authorization: `Bearer ${token}`,
    "Content-Type": "application/json",
  },
});

Python

Section titled “Python”
import requests


headers = {
    "Authorization": f"Bearer {token}",
    "Content-Type": "application/json"
}


response = requests.get(
    "https://indepai.app/api/v1/assets",
    headers=headers
)

Token Expiration

Section titled “Token Expiration”

Tokens expire after 1 hour. When a token expires, you’ll receive:

{
  "success": false,
  "error": "Unauthorized",
  "code": "UNAUTHORIZED",
  "message": "Token has expired"
}

Refreshing Tokens

Section titled “Refreshing Tokens”

For web app sessions, token refresh is handled automatically by Supabase. For API keys, tokens do not expire unless revoked.

Error Responses

Section titled “Error Responses”

401 Unauthorized

Section titled “401 Unauthorized”

Missing or invalid token:

{
  "success": false,
  "error": "Unauthorized",
  "code": "UNAUTHORIZED"
}

403 Forbidden

Section titled “403 Forbidden”

Token is valid but user lacks permission:

{
  "success": false,
  "error": "Forbidden",
  "code": "FORBIDDEN",
  "message": "This endpoint requires a Pro subscription"
}

Security Best Practices

Section titled “Security Best Practices”
  1. Never expose tokens in client-side code - Use environment variables
  2. Use HTTPS - Always use secure connections
  3. Short-lived tokens - Tokens expire after 1 hour for security
  4. Refresh tokens securely - Store refresh tokens server-side when possible
  5. Validate on every request - Don’t cache authentication status