Authentication
All /api/v1/* endpoints require a valid JWT issued by the Authentik OIDC provider.
Pass the token in the Authorization header:
Authorization: Bearer <your-jwt-token>JWT Claims
Section titled “JWT Claims”| Claim | Type | Description |
|---|---|---|
sub | UUID | User ID |
akili_tenant_id | UUID | Tenant ID (custom claim) |
akili_roles | string[] | Role list: admin, developer, viewer |
email | string | User email |
exp | integer | Expiration timestamp (Unix epoch) |
iat | integer | Issued-at timestamp |
iss | string | Issuer URL (must match Authentik) |
Role Permissions
Section titled “Role Permissions”| Role | Products | Tenants | DLQ | Admin |
|---|---|---|---|---|
viewer | Read only | Own tenant | Read only | No |
developer | Full CRUD + deploy | Own tenant | Read + replay | No |
admin | Full CRUD + deploy | Full CRUD | Full access | Yes |
Caution: Tenant isolation is enforced at every layer. All queries are scoped by
tenant_idfrom the JWT, with Row-Level Security (RLS) at the database layer. Cross-tenant access is only available toadminroles on the/tenantsendpoint.