Skip to content

Authentication

How Snaapi authenticates users and where API tokens come from.

Snaapi uses Better Auth for user identity and account management. Requests to your provisioned API authenticate with an API key in the Authorization: Bearer <key> header. Keys are issued from a credentialed call to the API's /token endpoint.

Better Auth integration

Better Auth handles user registration, login, and account management. Snaapi extends it with API key management and resource-level authorization. All auth-related records (users, accounts, verifications) are managed by Better Auth.

Email and password

Email and password authentication is enabled by default. Users can register and sign in with an email address and password through Better Auth's built-in endpoints. Email verification can be required before granting access.

Social providers

Snaapi supports OAuth login through Google and GitHub. Providers are configured per API and enabled when their credentials are supplied.

Trusted origins

For cross-origin requests, the list of allowed origins is configured on the provisioned API runtime.

Getting your first API token

Once you have a user account on your provisioned API, you can generate an API key to authenticate programmatic requests. Send a POST request to /token with your credentials.

curl -X POST https://your-api.snaapi.cloud/token \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "password": "your-password",
    "permissions": {
      "posts": { "read": ["id", "title", "body"], "create": ["title", "body"] }
    }
  }'

The response includes your new API key, prefixed with sna_.

{
  "key": "sna_abc123def456..."
}

This is the only time the full key is returned. Snaapi stores a hashed version internally. Save it somewhere secure.

Using your key

Pass the key in the Authorization header on all subsequent requests.

curl https://your-api.snaapi.cloud/posts \
  -H "Authorization: Bearer sna_abc123def456..."

For more details on key properties, scoped permissions, and rate limiting, see API keys.

User fields

Each user record includes standard Better Auth fields plus two Snaapi-specific fields.

Field Type Description
primaryRole string The role used for authorization decisions
allowedRoles string JSON-encoded array of roles the user may adopt

See Roles for details on role assignment and behavior.