Authentication

Notes:

Public API v1 is currently in feature preview and as such documentation for this feature is still work in progress

Public API v1 requests are authenticated by API key or bearer token. The same API keys used for OData are used for Public API v1.

Supported headers

• X-Api-Key: <api-key>
• Authorization: Bearer <token>
• Authorization: Basic <base64(email:api-key)>

API key management

• API keys are generated from the xpna task pane.
• The API Keys guide is used for key creation and rotation.

Bearer token construction

• The bearer token is the access token returned by xpna authentication.
• The token is added to the header with the Bearer prefix and no additional encoding.
• The /me endpoint is used to verify that the token is valid.

Example request

curl --request GET \
  --url https://xpna.app/api/public/v1/me \
  --header "Authorization: Bearer <token>"

Unauthorized response

• A 401 response is returned when authentication is missing or invalid.
• Error responses are returned as RFC 9457 problem details.