Authentication

Overview

The AutoDoc API distinguishes between public and protected routes. Public routes require no authentication. Protected routes support authentication via Supabase service role keys (internal use only), product access tokens, or Supabase JWTs for user-scoped calls.

GitHub Webhooks

GitHub webhooks are authenticated using HMAC signature validation against the configured webhook secret.

The endpoint is POST /webhooks. It accepts GitHub's standard webhook payload for events such as push, installation, and installation_repositories. No request body schema is defined beyond the standard GitHub payload.

The API performs signature validation and returns 200 or 204 on success. Invalid signatures or payloads return a 400 error. The exact header shape used for signature transmission is not documented.

Product Access Tokens

Product access tokens enable access to protected routes. Tokens are created, listed, and revoked through dedicated endpoints. The token value is write-only on creation and appears masked in listings.

Creating a Token

This is a test```

---

`POST /tokens` accepts this body:

{ "name": "string", "scopes": ["string"], "expiresAt": "string" }


The `expiresAt` field is optional. The response includes the generated token.

### Listing Tokens

`GET /tokens` returns tokens belonging to the authenticated product or user, with secrets masked.

### Revoking a Token

`DELETE /tokens/:id` revokes the specified token.

The exact header, query parameter, or body shape for supplying a product access token on subsequent protected requests is not documented.

## Supabase JWTs

Supabase JWTs are accepted for user-scoped calls to protected routes. The exact header, query parameter, or body shape for supplying these JWTs is not documented.

## OAuth / MCP

OAuth flows for MCP integrations use these endpoints:

- `GET /oauth/mcp` initiates the OAuth flow.
- `POST /oauth/mcp/callback` handles the callback and token exchange.

Request and response shapes for authentication during these flows are not documented.

## Additional Details

Request and response shapes for authentication are defined in the API contract. See developer/openapi.json for the machine-readable specification. Authentication-related errors follow the standard error format described in developer/errors.md.
Published v9 · Sun, 07 Jun 2026 18:03:35 GMT