Developers & API

Authentication & Security

Authentication Guide

BuildStability uses Supabase Auth for authentication. All API requests require a valid JWT.

Getting Your Access Token:

Method 1: Copy Token (Easiest) — Business Settings → API & Integrations → Copy Token when API access is enabled. Use as `Authorization: Bearer `.

Method 2: Browser / Local Storage

1. Log in to BuildStability 2. Open DevTools (F12) > Application > Local Storage 3. Find `sb--auth-token` → copy `access_token`

Method 3: Supabase Client

```typescript const { data: { session } } = await supabase.auth.getSession(); const accessToken = session?.access_token; ```

What a JWT looks like: Three base64url segments separated by dots (header.payload.signature), typically 200–500+ characters. What to do with it: Set `Authorization: Bearer ` on MCP, PostgREST, or any JWT-authenticated request.

Token Expiration:

- Access tokens: 1 hour - Refresh tokens: 30 days - Supabase client auto-refreshes tokens

Security Best Practices:

- ✅ Never commit tokens to version control - ✅ Use environment variables - ✅ Store tokens securely (Keychain/Keystore on mobile) - ✅ Always use HTTPS - ✅ Rotate tokens if compromised

API Access Must Be Enabled:

For security, API/MCP access must be explicitly enabled for each business. Business administrators can enable this in Business Settings > API & Integrations.

Multi-Tenancy:

Your token is automatically scoped to your business. You can only access data for businesses where you are an active member AND where API access has been enabled.

Multi-Business Users:

If you belong to multiple businesses, use the `X-Business-ID` header to specify which business to access. Without this header, the system uses your first API-enabled business.

Related Resources

Ready to implement these strategies?

Join thousands of trainers using BuildStability to automate engagement tracking and prevent churn.

Start Your Free Trial