Authentication
Learn how to authenticate your API requests using API keys or JWT tokens.
Security First
Never expose your API keys in client-side code. Always make API calls from your server.
Authentication Methods
The Regen Therapy API supports two authentication methods:
API Keys
Best for server-to-server integrations
- Long-lived credentials
- Granular permission scopes
- Passed via X-API-Key header
- Can be rotated without downtime
JWT Tokens
Best for user-authenticated requests
- Short-lived (1 hour)
- Tied to user session
- Passed via Authorization header
- Refreshable with refresh token
API Key Authentication
Pass your API key in the X-API-Key header:
curl -X GET "https://gateway.regentherapy.com/api/v1/orders" \
-H "X-API-Key: rg_abc123_your_secret_key_here"Keep Your Keys Secret
Your API key carries many privileges. Keep it secure and never share it in public repositories or client-side code.
Creating an API Key
- Log in to your Partner Portal
- Navigate to Settings → API Keys
- Click "Create New Key"
- Select the required scopes for your integration
- Copy the key immediately - it won't be shown again
JWT Token Authentication
For user-authenticated requests, obtain a JWT token by logging in:
1. Login Request
curl -X POST "https://gateway.regentherapy.com/api/auth/login" \
-H "Content-Type: application/json" \
-d '{
"email": "user@example.com",
"password": "your_password"
}'2. Login Response
{
"success": true,
"data": {
"accessToken": "eyJhbGciOiJIUzI1NiIs...",
"refreshToken": "eyJhbGciOiJIUzI1NiIs...",
"expiresIn": 3600,
"user": {
"id": "usr_abc123",
"email": "user@example.com",
"role": "CLIENT_OWNER"
}
}
}3. Use the Token
curl -X GET "https://gateway.regentherapy.com/api/v1/orders" \
-H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..."Token Lifecycle
| Token Type | Lifetime | Usage |
|---|---|---|
| Access Token | 1 hour | API requests |
| Refresh Token | 7 days | Get new access token |
API Scopes
API keys use scopes to limit access. Only request the scopes your integration needs.
| Scope | Type | Description |
|---|---|---|
| read:* | Read | Read access to all resources |
| write:* | Write | Write access to all resources |
| read:orders | Read | Read orders |
| write:orders | Write | Create and update orders |
| read:products | Read | Read products |
| write:products | Write | Create and update products |
| read:inventory | Read | Read inventory levels |
| write:inventory | Write | Adjust inventory |
| read:commissions | Read | Read commission records |
| write:commissions | Write | Create payouts |
| read:customers | Read | Read customer data |
| write:customers | Write | Update customer data |
| read:webhooks | Read | Read webhook configurations |
| write:webhooks | Write | Manage webhook endpoints |
| read:analytics | Read | Read analytics data |
Rate Limiting
API requests are rate limited per API key. Rate limit information is included in response headers.
| Tier | Limit | Window |
|---|---|---|
| Standard | 100 requests | Per hour |
| Burst | 10 requests | Per minute |
| Write Operations | 50 requests | Per hour |
Rate Limit Headers
| Header | Description |
|---|---|
| X-RateLimit-Limit | Maximum requests allowed in the window |
| X-RateLimit-Remaining | Requests remaining in current window |
| X-RateLimit-Reset | Unix timestamp when the window resets |
| Retry-After | Seconds to wait when rate limited (429 responses) |
Next Steps