Skip to content
Bizon Bizon

Authentication

Bizon Platform supports multiple authentication methods: JWT tokens, Google OAuth, and API keys.

JWT Authentication

Section titled “JWT Authentication”

The primary authentication method uses JSON Web Tokens (JWT).

Registration

Section titled “Registration”

Create a new user and organization:

Terminal window
curl -X POST http://localhost:8000/api/auth/register \
  -H "Content-Type: application/json" \
  -d '{
    "email": "user@example.com",
    "password": "SecurePassword123!",
    "name": "John Doe",
    "organization_name": "My Company"
  }'

Response:

{
  "access_token": "eyJ...",
  "refresh_token": "eyJ...",
  "user": {
    "id": "uuid",
    "email": "user@example.com",
    "name": "John Doe",
    "role": "owner"
  },
  "organization": {
    "id": "uuid",
    "name": "My Company",
    "slug": "my-company-abc123"
  }
}

Login

Section titled “Login”
Terminal window
curl -X POST http://localhost:8000/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "user@example.com",
    "password": "SecurePassword123!"
  }'

Using Tokens

Section titled “Using Tokens”

Include the access token in the Authorization header:

Terminal window
curl http://localhost:8000/api/pipelines \
  -H "Authorization: Bearer eyJ..."

Token Refresh

Section titled “Token Refresh”

Access tokens expire after 24 hours. Use the refresh token to get new tokens:

Terminal window
curl -X POST http://localhost:8000/api/auth/refresh \
  -H "Content-Type: application/json" \
  -d '{"refresh_token": "eyJ..."}'

Google OAuth

Section titled “Google OAuth”

Users can sign in with Google for a passwordless experience.

Configuration

Section titled “Configuration”

Set the following environment variables:

Terminal window
GOOGLE_CLIENT_ID=your-client-id.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=your-client-secret
GOOGLE_REDIRECT_URI=http://localhost:8000/api/auth/google/callback
FRONTEND_URL=http://localhost:5173

OAuth Flow

Section titled “OAuth Flow”
  1. User clicks “Sign in with Google” in the UI
  2. Redirect to GET /api/auth/google
  3. Google authenticates user
  4. Callback to GET /api/auth/google/callback
  5. Platform creates/updates user and redirects to frontend with tokens

Account Linking

Section titled “Account Linking”

Existing users can link their Google account:

Terminal window
# Get redirect URL (authenticated)
curl http://localhost:8000/api/auth/link/google \
  -H "Authorization: Bearer eyJ..."


# Returns: {"redirect_url": "https://accounts.google.com/..."}

Unlinking OAuth

Section titled “Unlinking OAuth”
Terminal window
curl -X DELETE http://localhost:8000/api/auth/unlink/google \
  -H "Authorization: Bearer eyJ..."

API Keys

Section titled “API Keys”

API keys provide programmatic access without user interaction.

Creating an API Key

Section titled “Creating an API Key”
Terminal window
curl -X POST http://localhost:8000/api/api-keys \
  -H "Authorization: Bearer eyJ..." \
  -H "Content-Type: application/json" \
  -d '{
    "name": "CI/CD Pipeline",
    "expires_in_days": 90
  }'

Important: The full key is returned only once. Store it securely.

Using API Keys

Section titled “Using API Keys”

Include the API key in the X-API-Key header:

Terminal window
curl http://localhost:8000/api/pipelines \
  -H "X-API-Key: biz_live_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"

Key Format

Section titled “Key Format”
  • Prefix: biz_live_ (9 characters)
  • Random: 32 characters from secrets.token_urlsafe(24)
  • Total: 44 characters

Listing Keys

Section titled “Listing Keys”
Terminal window
curl http://localhost:8000/api/api-keys \
  -H "Authorization: Bearer eyJ..."

Revoking Keys

Section titled “Revoking Keys”
Terminal window
curl -X DELETE http://localhost:8000/api/api-keys/{key_id} \
  -H "Authorization: Bearer eyJ..."

Role-Based Access Control

Section titled “Role-Based Access Control”

Roles

Section titled “Roles”
RolePermissions
ownerFull access, can transfer ownership
adminFull access except ownership transfer
memberCreate/edit pipelines and connectors
viewerRead-only access

Domain Role Overrides

Section titled “Domain Role Overrides”

Grant elevated permissions within specific domains:

Terminal window
# Add domain role override
curl -X POST http://localhost:8000/api/users/{user_id}/domain-roles \
  -H "Authorization: Bearer eyJ..." \
  -H "Content-Type: application/json" \
  -d '{
    "domain_id": "uuid",
    "role": "admin"
  }'

Rules:

  • Only admin or member roles can be assigned as overrides
  • Overrides can only elevate, not demote
  • owner and admin org roles are not affected by overrides

Password Management

Section titled “Password Management”

Changing Password

Section titled “Changing Password”
Terminal window
curl -X PUT http://localhost:8000/api/auth/password \
  -H "Authorization: Bearer eyJ..." \
  -H "Content-Type: application/json" \
  -d '{
    "current_password": "OldPassword123!",
    "new_password": "NewPassword456!"
  }'

Password Requirements

Section titled “Password Requirements”
  • Minimum 8 characters
  • At least one uppercase letter
  • At least one lowercase letter
  • At least one number
  • At least one special character

Security Configuration

Section titled “Security Configuration”
SettingDefaultDescription
JWT_SECRET_KEYRequiredSecret for JWT signing
JWT_ALGORITHMHS256JWT algorithm
JWT_ACCESS_TOKEN_EXPIRE_MINUTES1440Access token lifetime (24h)
JWT_REFRESH_TOKEN_EXPIRE_DAYS7Refresh token lifetime

Generate a secure JWT secret:

Terminal window
openssl rand -hex 32