App-scoped authentication
When making calls to the Rownd REST API, you must include your app key/secret pair in the request headers. The app key is used to identify the app making the request, and the secret is used to authenticate the request. Ensure the following headers are present:X-Rownd-App-Key: <your-app-key>
X-Rownd-App-Secret: <your-app-secret>
User-initiated requests leverage bearer token authentication, which is generated when a user signs in. You’ll usually leverage this token from one of our SDKs in order to call user-based Rownd APIs in addition to your own API stack.
User-scoped authentication
In most cases, Rownd’s SDKs and the Rownd Hub call Rownd APIs on behalf of a user. In these cases, the user’s bearer token is included in the request headers. The bearer token is used to identify the user making the request, and to authenticate the request. We recommend that you use Rownd bearer tokens to authenticate users against your own API or service. Since Rownd’s tokens are signed asymmetrically, you can use our public JWK set to validate a token’s signature.If you’re using a Rownd server SDK (e.g., Node.js), convenience methods or middleware are provided to automatically validate a bearer token and attach the user’s profile to the request object.