Authorization: Bearer <token>.
Login
Refresh a token
Required headers
| Header | Required | Description |
|---|---|---|
Authorization | Always | Bearer <token> |
X-Organization-ID | Most endpoints | UUID of your organization |
Security best practices
Store access tokens in memory, not localStorage
Store refresh tokens in httpOnly secure cookies
Use HTTPS everywhere
Revoke tokens on logout