Authentication
All Onoots API endpoints (except public listing routes) require a Bearer JWT issued by Supabase Auth.
Getting a Token
POST https://[project].supabase.co/auth/v1/token?grant_type=password
Content-Type: application/json
{
"email": "agent@brokerage.com.au",
"password": "your-password"
}Returns:
{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5...",
"token_type": "bearer",
"expires_in": 3600,
"refresh_token": "..."
}Using the Token
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5...Roles & Row-Level Security
| Role | Access |
|---|---|
broker | All records within their brokerage |
team_lead | Own records + team member records |
agent | Own records only |
RLS is enforced at the PostgreSQL level via Supabase policies. Attempting to access another agent’s records returns 403 Forbidden or an empty result set, never another agent’s data.
CRON_SECRET
Server-to-server cron jobs authenticate via:
Authorization: Bearer <CRON_SECRET>The CRON_SECRET is set in Vercel environment variables and is never exposed to clients.
Never include your JWT in client-side code or commit it to version control. Use environment variables or Supabase’s client-side session management.
Last updated on