Authentication Overview
GxP uses token-based authentication to secure API access. All API requests must include valid credentials to authenticate the requesting user or application.
Authentication Methods
GxP supports multiple authentication methods depending on your use case:
| Method | Use Case | Documentation |
|---|---|---|
| Sanctum Bearer Token | Server-to-server API calls | Sanctum Auth |
| API Keys | Third-party integrations | API Keys |
Bearer Token Authentication
The primary authentication method uses Laravel Sanctum bearer tokens. Include the token in the Authorization header of each request:
curl -X GET "https://api.gramercy.cloud/api/v1/projects" \
-H "Authorization: Bearer YOUR_API_TOKEN" \
-H "Accept: application/json" \
-H "Content-Type: application/json"
Required Headers
All API requests should include these headers:
| Header | Value | Required |
|---|---|---|
Authorization | Bearer YOUR_TOKEN | Yes |
Accept | application/json | Yes |
Content-Type | application/json | For POST/PUT/PATCH |
Token Scopes
API tokens can be scoped to limit their permissions:
| Scope | Description |
|---|---|
* | Full access (all permissions) |
read | Read-only access |
attendees:read | Read attendee data |
attendees:write | Create/update attendees |
access:read | Read access control data |
access:write | Manage access points |
Security Best Practices
- Never expose tokens in client-side code - Store tokens securely on your server
- Use environment variables - Don't hardcode tokens in your application
- Rotate tokens regularly - Create new tokens and revoke old ones periodically
- Use minimal scopes - Only request the permissions your application needs
- Monitor token usage - Review API logs for unusual activity
Error Responses
Unauthenticated (401)
Returned when no token is provided or the token is invalid:
{
"message": "Unauthenticated."
}
Unauthorized (403)
Returned when the token is valid but lacks required permissions:
{
"message": "This action is unauthorized."
}
Token Expired (401)
Returned when the token has expired:
{
"message": "Token has expired."
}
Next Steps
- Sanctum Authentication - Detailed Sanctum setup
- API Keys - Using API keys for integrations