Authentication
TigerIdentity supports multiple authentication methods: API keys for service-to-service communication and OAuth 2.0 for user-context access. All API requests require a valid Bearer token.
Overview
All API requests must include an Authorization header with a valid Bearer token. Tokens can be obtained through API key generation or OAuth 2.0 flows.
curl -X GET "https://api.tigeridentity.com/v1/principals" \ -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \ -H "Content-Type: application/json"
API Keys
API keys are long-lived credentials for programmatic access. Generate them from the TigerIdentity dashboard or via the API.
/auth/api-keysGenerate a new API key
Request Body
{
"name": "Production Service",
"description": "API key for prod backend",
"scopes": [
"read:principals",
"write:policies",
"evaluate:decisions"
],
"expires_in_days": 365
}Parameters
Response
{
"id": "key_1a2b3c4d5e6f",
"name": "Production Service",
"api_key": "ti_live_abc123...",
"scopes": [
"read:principals",
"write:policies",
"evaluate:decisions"
],
"created_at": "2026-02-05T10:30:00Z",
"expires_at": "2027-02-05T10:30:00Z",
"last_used_at": null
}Store the api_key securely. It will only be shown once.
/auth/api-keysList all API keys
cURL Example
curl -X GET \ "https://api.tigeridentity.com/v1/auth/api-keys" \ -H "Authorization: Bearer YOUR_TOKEN"
Response
{
"data": [
{
"id": "key_1a2b3c4d5e6f",
"name": "Production Service",
"scopes": ["read:principals"],
"created_at": "2026-02-05T10:30:00Z",
"expires_at": "2027-02-05T10:30:00Z",
"last_used_at": "2026-02-05T12:45:00Z"
}
],
"pagination": {
"total": 1,
"page": 1,
"per_page": 50
}
}/auth/api-keys/{key_id}Revoke an API key
cURL Example
curl -X DELETE \ "https://api.tigeridentity.com/v1/auth/api-keys/key_1a2b3c4d5e6f" \ -H "Authorization: Bearer YOUR_TOKEN"
Response
{
"id": "key_1a2b3c4d5e6f",
"status": "revoked",
"revoked_at": "2026-02-05T14:20:00Z"
}OAuth 2.0 Bearer Tokens
For user-context access, use OAuth 2.0 to obtain short-lived access tokens. See the OAuth 2.0 documentation for complete flow details.
/oauth/tokenExchange credentials for access token
Request Body
{
"grant_type": "client_credentials",
"client_id": "your_client_id",
"client_secret": "your_client_secret",
"scope": "read:principals write:policies"
}Response
{
"access_token": "eyJhbGciOiJSUzI1NiIs...",
"token_type": "Bearer",
"expires_in": 3600,
"scope": "read:principals write:policies",
"refresh_token": "rt_1a2b3c4d5e6f..."
}/oauth/tokenRefresh an expired access token
Request Body
{
"grant_type": "refresh_token",
"refresh_token": "rt_1a2b3c4d5e6f...",
"client_id": "your_client_id",
"client_secret": "your_client_secret"
}Response
{
"access_token": "eyJhbGciOiJSUzI1NiIs...",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "rt_9z8y7x6w5v4u..."
}/oauth/revokeRevoke an access or refresh token
Request Body
{
"token": "eyJhbGciOiJSUzI1NiIs...",
"token_type_hint": "access_token"
}Response
{
"status": "revoked",
"revoked_at": "2026-02-05T14:20:00Z"
}Error Codes
Missing or invalid authentication credentials
Valid credentials but insufficient permissions
Rate limit exceeded
Server error occurred
Error Response Format
{
"error": {
"code": "unauthorized",
"message": "Invalid or expired access token",
"details": {
"token_expired_at": "2026-02-05T12:00:00Z"
},
"request_id": "req_1a2b3c4d5e6f"
}
}Rate Limiting
Authentication endpoints are rate-limited to prevent abuse. Rate limit information is included in response headers.
Rate Limits
Response Headers
X-RateLimit-Limit: 100 X-RateLimit-Remaining: 95 X-RateLimit-Reset: 1675598400
The X-RateLimit-Reset header contains a Unix timestamp indicating when the rate limit resets.
Related Documentation
Ready to authenticate?
Generate your first API key and start making authenticated requests.