Authentication

ItsFriday uses API keys and OAuth 2.0 for authentication.

API Keys

API keys are used for server-to-server communication.

Creating an API Key

Navigate to Settings > API Keys in the dashboard
Click Create API Key
Give it a name and select permissions
Copy and store the key securely

API keys are shown only once. Store them securely - you cannot retrieve them later.

Using API Keys

Include the API key in the Authorization header:

curl https://api.itsfriday.in/v1/metrics/ \
  -H "Authorization: Bearer if_live_abc123..."

Key Prefixes

Prefix	Environment
`if_live_`	Production
`if_test_`	Test/Development

Key Permissions

Permission	Access
`read`	Query data
`write`	Send data
`admin`	Manage settings

OAuth 2.0 (Auth0)

For user authentication and the dashboard, we use Auth0.

Configuration

Set these environment variables:

AUTH0_DOMAIN=your-tenant.auth0.com
AUTH0_AUDIENCE=https://api.itsfriday.in
AUTH0_CLIENT_ID=your-client-id
AUTH0_CLIENT_SECRET=your-client-secret

Getting an Access Token

curl -X POST https://your-tenant.auth0.com/oauth/token \
  -H "Content-Type: application/json" \
  -d '{
    "client_id": "YOUR_CLIENT_ID",
    "client_secret": "YOUR_CLIENT_SECRET",
    "audience": "https://api.itsfriday.in",
    "grant_type": "client_credentials"
  }'

Response:

{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 86400
}

Using the Token

curl https://api.itsfriday.in/v1/metrics/ \
  -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."

Multi-Tenant Access

Each request is scoped to the tenant associated with the API key or token. The tenant ID is extracted from:

API key association
org_id claim in JWT token
X-Tenant-ID header (admin only)

Security Best Practices

Rotate keys regularly

Create new keys and deprecate old ones every 90 days.

Use separate keys per environment

Never use production keys in development.

Store keys securely

Use environment variables or secret managers. Never commit keys to git.

Use minimum permissions

Only grant permissions that are actually needed.

Troubleshooting

401 Unauthorized

Check if the API key is valid
Verify the key has correct permissions
Ensure Bearer prefix is included

403 Forbidden

The key doesn’t have required permissions
Trying to access another tenant’s data

Token expired

OAuth tokens expire after 24 hours
Request a new token using client credentials

Getting Started

Guides

Self-Hosting

API Reference

Authentication

Authentication

API Keys

Creating an API Key

Using API Keys

Key Prefixes

Key Permissions

OAuth 2.0 (Auth0)

Configuration

Getting an Access Token

Using the Token

Multi-Tenant Access

Security Best Practices

Troubleshooting

Getting Started

Guides

Self-Hosting

API Reference

​Authentication

​API Keys

​Creating an API Key

​Using API Keys

​Key Prefixes

​Key Permissions

​OAuth 2.0 (Auth0)

​Configuration

​Getting an Access Token

​Using the Token

​Multi-Tenant Access

​Security Best Practices

​Troubleshooting

Authentication

API Keys

Creating an API Key

Using API Keys

Key Prefixes

Key Permissions

OAuth 2.0 (Auth0)

Configuration

Getting an Access Token

Using the Token

Multi-Tenant Access

Security Best Practices

Troubleshooting