Authorization: Bearer <token> header. Solya
accepts three kinds of bearer token.
The three schemes
| Scheme | Who uses it | Token |
|---|---|---|
| BearerAuth | The web app (human users) and external integrations | A NextAuth session token or a service-account token |
| Service-account token | Programs, scripts, AI agents | An opaque solya_sa_… token (a kind of BearerAuth) |
| InternalBearerAuth | Internal services / cron only | A static server-side token — not user-creatable |
Authorization: Bearer header as a user session, so the same endpoints work for both.
Service-account tokens
A service-account token represents an organization, not a person, and carries an explicit set of permissions.- Format —
solya_sa_followed by 43 URL-safe characters (≈ 52 characters total), backed by 256 bits of entropy. - Storage — Solya stores only a SHA-256 hash. The plaintext token is shown once at creation and never again — copy it immediately into your secret manager.
- Permissions — fixed at creation. The token can do only what its permissions allow
(the same permission model as roles — e.g.
inventoryPlans.view,analytics.view,dataPlatform.configure). - Expiry — optional, up to 365 days; you can also choose “never expires”.
- Limit — up to 50 active tokens per organization.
Create a token
Copy the plaintext once
Copy the
solya_sa_… value immediately and store it securely. You won’t be able to
see it again — only its last characters are shown afterwards.Use a token
Revoke a token
Revoke a token from Settings → API tokens at any time — revocation is immediate. Tokens are also revoked automatically if the user who created them is removed from the organization.Check who you are
CallGET /api/auth/whoami to confirm a token is valid and see its effective access: