Authentication
The Slim.io API uses Firebase JWT tokens for authentication. Every API request must include a valid token in the Authorization header.
Obtaining a Token
Your API credentials are provisioned when your tenant is created. Contact your account administrator for API keys or service account details.
From the Firebase Auth SDK
If you are building a client application, use the Firebase Authentication SDK to obtain a JWT token:
import { getAuth } from 'firebase/auth'
const auth = getAuth()
const user = auth.currentUser
const token = await user.getIdToken()From a Service Account
For server-to-server integrations, use a Firebase service account to generate custom tokens:
import firebase_admin
from firebase_admin import auth
firebase_admin.initialize_app()
custom_token = auth.create_custom_token(uid='service-account-uid')Then exchange the custom token for an ID token via the Firebase Auth REST API.
From an API Key
For simpler integrations, generate an API key from the Customer Dashboard under Settings > API Keys:
curl -X GET https://api.slim.io/api/v1/connectors \
-H "Authorization: Bearer sk_live_abc123def456"API keys are scoped to a specific workspace and role. They cannot be used to manage workspace settings or member access. For full administrative access, use a Firebase JWT token.
Authorization Header
Include the token in every API request:
curl -X GET https://api.slim.io/api/v1/connectors \
-H "Authorization: Bearer eyJhbGciOiJSUzI1NiIs..."The Bearer prefix is required. Requests without a valid authorization header receive a 401 Unauthorized response.
Token Refresh
Firebase ID tokens expire after 1 hour. The recommended refresh strategy:
- Attach a token listener that fires before expiry:
import { getAuth, onIdTokenChanged } from 'firebase/auth'
const auth = getAuth()
onIdTokenChanged(auth, async (user) => {
if (user) {
const token = await user.getIdToken()
// Update your API client's authorization header
}
})- On
401response, force a token refresh and retry:
async function apiCall(url, options = {}) {
let response = await fetch(url, {
...options,
headers: { ...options.headers, Authorization: `Bearer ${token}` }
})
if (response.status === 401) {
token = await auth.currentUser.getIdToken(true) // force refresh
response = await fetch(url, {
...options,
headers: { ...options.headers, Authorization: `Bearer ${token}` }
})
}
return response
}The Slim.io Customer Dashboard uses a centralized ApiClient wrapper that handles token refresh automatically. If you are building a custom integration, you must implement refresh logic yourself.
Token Payload
The Firebase JWT token payload includes:
| Claim | Description |
|---|---|
sub | User’s Firebase UID |
email | User’s email address |
iat | Token issue time (Unix timestamp) |
exp | Token expiry time (Unix timestamp, +1 hour from issue) |
aud | Firebase project ID |
Slim.io extracts the sub claim to identify the user and resolve their workspace membership and role.
Token Validation
The API validates tokens on every request through the following process:
- Extract the
Authorizationheader - Verify the JWT signature against the identity provider’s public keys
- Check token expiry (
expclaim) - Resolve the user’s tenant and workspace from the
subclaim - Attach user context to the request for authorization checks
Invalid tokens, expired tokens, or missing headers result in a 401 response with error details.
Security Best Practices
- Never expose tokens in URLs — Always use the
Authorizationheader, never query parameters - Store tokens securely — Use secure, HTTP-only cookies or in-memory storage, not
localStorage - Rotate API keys — Rotate API keys at least quarterly and immediately if compromised
- Use least-privilege keys — Create API keys with the minimum required role (prefer Viewer for read-only integrations)
- Monitor token usage — Review API key usage logs in the dashboard for anomalous patterns