Skip to main content

Documentation Index

Fetch the complete documentation index at: https://prismeai-docs-next.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

The Prisme.ai API uses a robust authentication system to secure access to resources. This guide explains how authentication works and how to implement it in your API requests.

Authentication Methods

JSON Web Tokens (JWTs) are the primary authentication method for web clients and interactive sessions.
1

Obtain a JWT

JWTs are issued in two scenarios:
  1. OpenID Connect (OIDC) authentication: After authenticating with the OIDC server (the api-gateway), clients receive an authorization code that can be exchanged for a JWT. Find your current JWT in the access-token cookie sent to the https://api.studio.prisme.ai/v2/me API after opening any Prisme.ai page
  2. Anonymous authentication: The /v2/login/anonymous endpoint initiates unauthenticated sessions and returns a JWT.
# Example of anonymous login
curl -X POST "https://api.studio.prisme.ai/v2/login/anonymous" \
     -H "Content-Type: application/json"
Response contains a JWT:
{
  "userId": "anon-123456",
  "sessionId": "session-789012",
  "token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImtleS0xIn0..."
}
2

Use the JWT

Include the JWT in the Authorization header for API requests:
curl -X GET "https://api.studio.prisme.ai/v2/workspaces" \
     -H "Content-Type: application/json" \
     -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImtleS0xIn0..."
JWTs have an expiration time defined by the ACCESS_TOKENS_MAX_AGE setting (default is 30 days). Your application should handle token refreshing or re-authentication when tokens expire.

JWT Token Details

JWTs issued by Prisme.ai are signed tokens with the following characteristics:
  • Algorithm: Defined by JWKS_ALG (default: RS256)
  • Key Type: Defined by JWKS_KTY (default: RSA)
  • Key Size: Defined by JWKS_SIZE (default: 2048 bits)
The JWT contains claims about the authenticated user, session, and permissions.Example decoded JWT payload:
  {
    "prismeaiSessionId": "session id",
    "jti": "...",
    "sub": "user id",
    "iat": 1744705420,
    "exp": 1747297420,
    "scope": "events:write events:read webhooks pages:read files:write files:read",
    "client_id": "prismeai-studio-client",
    "iss": "...",
    "aud": "..."
  }
The api-gateway automatically handles JWT key rotation:
  1. JWTs are signed using a JSON Web Key (JWK) that is stored in the api-gateway database
  2. JWKs are automatically rotated according to JWKS_ROTATION_DAYS (default: 30 days)
  3. When a JWK is rotated, it remains available for verification of existing JWTs
  4. Rotated JWKs are removed after ACCESS_TOKENS_MAX_AGE (default: 30 days) once all their signed JWTs should have expired
  5. Events (gateway.jwks.updated and runtime.jwks.updated) synchronize all api-gateway and runtime instances when JWKs are rotated or removed
If a signing JWK is compromised, it must be manually deleted from the database before restarting both api-gateway and runtime services.
Public keys for verifying JWTs are available at:
https://api.studio.prisme.ai/oidc/jwks
This endpoint returns the public keys in JWKS (JSON Web Key Set) format, which can be used to verify token signatures.

Authentication Modes Summary

ModeCallerToken Format
User SessionBrowser / frontendOIDC Bearer token or access-token cookie
API KeyExternal integrationsiak_{orgSlug}_{uuid} in x-prismeai-api-key header
Access TokenProgrammatic clientsat: prefixed token in Authorization header
Cross-Workspace CallOther workspacesIdentified by run.sourceWorkspaceId (injected by runtime)

Active Organization

Every authenticated user has an active organization that scopes permissions and resources. It is resolved on each request:
  1. URL path (/v2/orgs/:orgSlug/...) takes priority
  2. Then the session-persisted activeOrgSlug
  3. Falls back to the user’s first organization membership
Switch organizations with PUT /v2/user/active-org.

Authentication Flow

  1. Client Authentication: The client authenticates via OIDC or anonymous login to obtain a JWT
  2. API Gateway Validation: Requests are sent to the api-gateway with the JWT or access token
  3. Header Transformation: The api-gateway validates the token and adds an x-prismeai-user-id header
  4. Internal Routing: The request is forwarded to the appropriate microservice with the user context
  5. Authorization Check: The target microservice checks if the authenticated user has the required permissions
Backend microservices rely on the x-prismeai-user-id header for identification. This header should not be directly set in client requests, as it will be overwritten by the api-gateway.

Context Available in Automations

When building automations, the following context variables are available from the authenticated request:

Session Context

VariableDescription
{{session.id}}Session ID
{{session.org.slug}}Active organization slug
{{session.org.name}}Organization name
{{session.org.role.slug}}User’s role slug in the active org
{{session.org.role.permissions}}Role permission strings (array)
{{session.org.role.scopes}}Role scope strings (array)
{{session.org.groups}}Groups the user belongs to in this org
{{session.org.settings}}Org settings (e.g. LLM governance)
{{session.org.subscription}}Org subscription object

User Context

VariableDescription
{{user.id}}User ID (read-only)
{{user.email}}User email
{{user.role}}Workspace CASL role (e.g. owner, editor) — not the org role
{{user.orgSlugs}}Array of all org slugs the user belongs to (read-only)

Run Context

VariableDescription
{{run.permissions}}Org permissions as a nested object ({product: {resource: {action: true}}})
{{run.scopes}}Raw scopes array from org role
{{run.correlationId}}Request correlation ID
{{run.sourceWorkspaceId}}Source workspace ID (for cross-workspace calls)
user.role is the workspace-level role (from CASL security rules), not the organization role. The organization role is in session.org.role.

Token Security

Token Storage

  • Store tokens securely (not in localStorage for browser applications)
  • Use HttpOnly cookies where possible
  • For mobile apps, use secure storage mechanisms
  • For server applications, use environment variables or secure vaults

Token Transmission

  • Always use HTTPS/TLS for API communication
  • Use Authorization header rather than query parameters
  • Don’t include tokens in URLs or log them
  • Implement CSRF protection for cookie-based authentication

Token Management

  • Implement token refresh strategies
  • Set appropriate token expiration times
  • Have processes for token revocation
  • Regularly rotate long-lived tokens

Error Handling

  • Handle 401 (Unauthorized) responses properly
  • Don’t expose detailed error information to clients
  • Implement rate limiting for authentication failures
  • Log authentication failures for security monitoring

Authentication Configuration

JWT and authentication behavior can be configured with these environment variables:
VariableDescriptionDefault Value
JWKS_ROTATION_DAYSRotation period in days30
JWKS_KTYJWK Algorithm familyRSA
JWKS_ALGJWK signature algorithmRS256
JWKS_SIZEJWK size2048
ACCESS_TOKENS_MAX_AGEJWT expiration time in seconds2592000 (30 days)

Code Examples

const axios = require('axios');

async function getPrismeData() {
  // Get or refresh your token using your authentication method
  const token = 'YOUR_ACCESS_TOKEN';
  
  try {
    const response = await axios.get('https://api.studio.prisme.ai/v2/workspaces', {
      headers: {
        'Content-Type': 'application/json',
        'Authorization': `Bearer ${token}`
      }
    });
    
    return response.data;
  } catch (error) {
    if (error.response && error.response.status === 401) {
      // Handle authentication error, potentially refresh token
      console.error('Authentication failed, token may be expired');
    } else {
      console.error('API request failed:', error.message);
    }
    throw error;
  }
}

Next Steps

Error Handling

Learn about common API errors and how to handle them

Rate Limits

Understand the API’s rate limiting policies

Security

Read about our security recommendations and best practices