> ## Documentation Index
> Fetch the complete documentation index at: https://docs.messagesender.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Authenticate API requests with Bearer tokens

> Amplifi issues short-lived Bearer tokens for API access. Pass your token and organization ID on every request to authenticate and scope data to your org.

Every Amplifi API request must include two headers: an `Authorization` header containing your Bearer token, and an `x-organization-id` header identifying which organization the request targets. The server validates the Bearer token on each request and checks that the organization ID belongs to your account. Missing or invalid credentials return an error before any data is accessed.

## How authentication works

When your user signs in, Amplifi issues a short-lived JWT access token. You pass this token as a Bearer credential on every API call. Once the token expires, requests return a `401` and you must re-authenticate to get a new token.

## Required headers

<ParamField header="Authorization" type="string" required>
  Bearer token issued when you sign in. Format: `Bearer <access_token>`.
</ParamField>

<ParamField header="x-organization-id" type="string (UUID)" required>
  The UUID of the organization you want to operate against. Your token must belong to a user with access to this organization.
</ParamField>

## Example authenticated request

<CodeGroup>
  ```bash curl theme={null}
  curl https://api.amplifi.com/api/campaigns \
    -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
    -H "x-organization-id: 3f4e5c6d-7a8b-9012-cdef-1234567890ab"
  ```

  ```javascript fetch theme={null}
  const response = await fetch("https://api.amplifi.com/api/campaigns", {
    headers: {
      "Authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
      "x-organization-id": "3f4e5c6d-7a8b-9012-cdef-1234567890ab",
    },
  });
  const campaigns = await response.json();
  ```
</CodeGroup>

## Token expiry and refresh

Supabase issues short-lived access tokens (typically 1 hour, depending on your Supabase project settings). When a token expires, all API calls return a `401 Unauthorized` response.

To get a new token, sign in again through your application's authentication flow. If you are using the Amplifi JavaScript client or managing HTTP calls directly, listen for `401` responses and re-authenticate before retrying the request.

<Note>
  Token refresh happens automatically when using an Amplifi client library. For raw HTTP integrations, handle `401` responses by re-authenticating and retrying with the new token.
</Note>

## Multi-organization support

Your Supabase user account can belong to multiple organizations. The `x-organization-id` header tells the API which organization context to use for the request. All data returned and all writes performed are scoped to that organization.

The organization ID must be a UUID that your authenticated user has been granted access to. If the ID is invalid or you do not have access, the API returns a `403` response.

## Error responses

| Status                  | Meaning                                                                                                       |
| ----------------------- | ------------------------------------------------------------------------------------------------------------- |
| `401 Unauthorized`      | The Bearer token is missing, invalid, or expired. Re-authenticate to get a new token.                         |
| `403 Forbidden`         | The `x-organization-id` is missing, not a valid UUID, or your user does not have access to that organization. |
| `429 Too Many Requests` | You have exceeded the rate limit. Check the `Retry-After` header for when you can retry.                      |

<Warning>
  Never expose your Bearer token in client-side code, logs, or version control. Treat it like a password.
</Warning>