Skip to main content

Overview

Vega AI provides multiple authentication methods to secure your API requests and application access. All authenticated endpoints require valid JWT tokens to authorize requests.

Authentication Methods

Username & Password

Traditional login using username and password credentials

Google OAuth

Sign in with your Google account for seamless authentication

Token Refresh

Automatically refresh expired access tokens

Token Verification

Verify token validity and extract user claims

Token Types

Vega AI uses two types of JWT tokens for authentication:

Access Token

  • Short-lived token used for API authentication
  • Must be included in the Authorization header as Bearer {token}
  • Expires after a configured duration (typically 15-60 minutes)
  • Contains user identity claims (user ID, username, role)

Refresh Token

  • Long-lived token used to obtain new access tokens
  • Stored securely and used only for token refresh operations
  • Expires after a longer duration (typically 7-30 days)
  • Automatically rotated when used to refresh access tokens

Security Features

All tokens are signed using HMAC-SHA256 to prevent tampering. Each token contains:
  • User ID and username
  • User role (ADMIN or STANDARD)
  • Token type (access or refresh)
  • Issued at timestamp
  • Expiration timestamp
User passwords are hashed using bcrypt with a secure cost factor before storage. Passwords are never stored in plain text.
Login and token refresh endpoints are protected with rate limiting to prevent brute force attacks. Failed login attempts are logged for security monitoring.
OAuth flows include state parameter validation to prevent cross-site request forgery attacks. State tokens are stored in secure, HTTP-only cookies.

Authentication Flow

Making Authenticated Requests

Once you have an access token, include it in the Authorization header of all API requests: 
curl -X GET https://api.vega.ai/api/jobs \
  -H "Authorization: Bearer your_access_token_here"
Token Storage: Store tokens securely on the client side. Avoid storing tokens in localStorage for web applications. Use secure, HTTP-only cookies or memory storage instead.

Error Handling

Authentication endpoints return standard HTTP status codes:
  • 200 OK - Authentication successful
  • 400 Bad Request - Invalid request body or missing required fields
  • 401 Unauthorized - Invalid credentials or expired token
  • 429 Too Many Requests - Rate limit exceeded

Next Steps

Login Endpoint

Authenticate with username and password

Refresh Token

Learn how to refresh expired tokens

Build docs developers (and LLMs) love

Get started for freeTalk to us