Authorization
info
The epilot application uses standard OAuth 2.0 tokens (JWT) for authorization.
Authorization Headerโ
Pass a valid bearer token in the Authorization request header to authorize API requests:
Authorization header
Authorization: Bearer <your-access-token>
API Gateway Authorizerโ
All requests to epilot APIs pass through an API Gateway authorizer that validates the bearer token and extracts claims. Backend microservices receive these claims as verified context.
Permissions APIโ
The JWT token identifies the user (user ID, organization), but does not encode what the user can do. To check whether a user can perform a specific action, call the Permissions API.
Check permissions
import { tokenIsPermitted } from '@epilot/permissions'
const isPermitted = await tokenIsPermitted(context.token, 'myaction')
See the full Permissions documentation for details on roles, grants, and evaluation logic.
See Alsoโ
- Token Types โ comparison of all epilot token types
- Permissions โ role-based access control
@epilot/permissionsโ permissions evaluation package