Skip to main content

Overview

Risk Legion uses JWT (JSON Web Tokens) for API authentication. Tokens are obtained from Supabase Auth and must be included in all API requests.

Obtaining Tokens

Via Script (Testing)

For testing purposes, use the provided script:
Output:

Using Tokens

HTTP Header

Include the token in the Authorization header:

cURL Example

JavaScript/TypeScript Example

Token Lifecycle

Token Expiration

Automatic Refresh

The Supabase client automatically refreshes tokens:

Manual Refresh

Authentication Errors

401 Unauthorized

Token is missing, expired, or invalid:
Solutions:
  • Check if token is included in request
  • Refresh the token if expired
  • Re-authenticate if refresh fails

403 Forbidden

Token is valid but user lacks permission:
Solutions:
  • Verify user has correct role
  • Check entity assignments for the user
  • Contact admin for access

Security Best Practices

  • Store tokens securely (memory or secure storage)
  • Never store tokens in localStorage for sensitive apps
  • Clear tokens on sign out
  • Don’t expose tokens in URLs or logs
  • Always use HTTPS
  • Include token only in Authorization header
  • Don’t pass tokens as query parameters
  • Validate HTTPS certificates
  • Validate token expiration before requests
  • Implement automatic refresh logic
  • Handle authentication errors gracefully
  • Re-authenticate when refresh fails
  • Verify JWT signature on every request
  • Check token audience and issuer
  • Validate token expiration
  • Log authentication failures

Test User Creation

Create Test Users

For development and testing:

Role-Based Access

Different roles have different API access: See RBAC for detailed permissions.

Postman Setup

Environment Variables

Pre-request Script

Troubleshooting

Common Issues

  • Verify token format: Bearer <token>
  • Check for whitespace in token
  • Ensure token is for correct environment
  • Verify token hasn’t expired
  • User may not be assigned to an enterprise
  • Check user role in enterprise_users table
  • Verify entity assignments for Assessors/Reviewers
  • Refresh token may be expired (7 days)
  • User may have been deactivated
  • Session may have been revoked
  • Re-authenticate from scratch