Documentation
PolicyCortex Secure API Authentication: OAuth 2.0, API Keys & JWT
Secure API access using OAuth 2.0, API keys, and JWT tokens. PolicyCortex provides multiple authentication methods to integrate with your existing security infrastructure.
Getting Started with PolicyCortex API Authentication
Quick Start
Generate API Key
Get started quickly with API key authentication for server-to-server communication.
Generate API Keybash
# Using CLI
policycortex auth create-key --name "my-service" --scope "read,write"
# Using API
curl -X POST https://api.policycortex.com/v1/auth/api-keys \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "my-service",
"scopes": ["policies:read", "policies:write", "scans:read"]
}'Authentication Methods
🔑 API Keys
Server-to-server authentication
• Never expire unless revoked
• Scoped permissions
• Rate limited by key
🎫 OAuth 2.0
User-delegated authentication
• Authorization Code flow
• PKCE support
• Refresh tokens
🎯 JWT Tokens
Session-based authentication
• Short-lived access tokens
• Stateless verification
• Custom claims support
API Key Authentication
Using API Keys
API keys provide simple authentication for automated systems and server-to-server communication.
API Key Usagejavascript
const axios = require('axios');
const api = axios.create({
baseURL: 'https://api.policycortex.com/v1',
headers: {
'Authorization': 'Bearer YOUR_API_KEY',
'Content-Type': 'application/json'
}
});
const response = await api.get('/policies');
console.log(response.data);Best Practices
- • Store keys in environment variables
- • Never commit keys to version control
- • Rotate keys regularly
- • Use separate keys per service
- • Implement key expiration policies
Security Features
- • Rate limiting per key
- • IP allowlisting support
- • Audit logging for all requests
- • Automatic anomaly detection
- • Instant revocation capability
OAuth 2.0 Flow
Authorization Code Flow
Implement OAuth 2.0 for user-delegated access to PolicyCortex APIs.
OAuth 2.0 Implementationjavascript
const authUrl = 'https://auth.policycortex.com/oauth/authorize' +
'?response_type=code' +
'&client_id=YOUR_CLIENT_ID' +
'&redirect_uri=' + encodeURIComponent('https://your-app.com/callback') +
'&scope=policies:read policies:write' +
'&state=RANDOM_STATE_STRING';
window.location.href = authUrl;
async function handleCallback(code, state) {
const response = await fetch('https://auth.policycortex.com/oauth/token', {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded'
},
body: new URLSearchParams({
grant_type: 'authorization_code',
client_id: 'YOUR_CLIENT_ID',
client_secret: 'YOUR_CLIENT_SECRET',
code: code,
redirect_uri: 'https://your-app.com/callback'
})
});
const tokens = await response.json();
return tokens;
}Available Scopes
policies:read
View policy configurations
policies:write
Create and update policies
scans:read
View scan results
scans:write
Trigger security scans
resources:read
View cloud resources
admin
Full administrative access
JWT Tokens
Token Structure
JWT tokens contain encoded information about the user and their permissions.
JWT Token Examplejson
{
"header": {
"alg": "RS256",
"typ": "JWT"
},
"payload": {
"sub": "user-123456",
"iss": "https://auth.policycortex.com",
"aud": "https://api.policycortex.com",
"exp": 1735689600,
"iat": 1735686000,
"scopes": ["policies:read", "policies:write"],
"org_id": "org-abc123"
}
}Token Lifecycle
- • Access tokens expire after 1 hour
- • Refresh tokens valid for 30 days
- • Automatic token rotation supported
- • Revocation takes effect immediately
Token Validation
- • Signature verified with RSA-256
- • Expiration checked on each request
- • Issuer and audience validated
- • Custom claims supported