Authentication
MangroveAI supports multiple authentication methods to accommodate different use cases.
Authentication Methods
| Method | Best For | Flow |
|---|
| Firebase OAuth | Web apps, mobile apps | Firebase SSO -> Exchange for JWT -> Use JWT |
| API Keys | Scripts, server-to-server, agents | Generate key via portal -> Use in Authorization header |
| GCP IAM Tokens | Cloud infrastructure | gcloud auth print-identity-token -> Use in header |
Firebase Authentication (Recommended for Web/Mobile)
Step 1: Client-Side Firebase Authentication
import { initializeApp } from 'firebase/app';
import { getAuth, signInWithPopup, GoogleAuthProvider } from 'firebase/auth';
const firebaseConfig = {
apiKey: "YOUR_API_KEY",
authDomain: "mangroveai-dev.firebaseapp.com",
projectId: "mangroveai-dev"
};
const app = initializeApp(firebaseConfig);
const auth = getAuth(app);
const provider = new GoogleAuthProvider();
const result = await signInWithPopup(auth, provider);
const firebaseToken = await result.user.getIdToken();
Step 2: Exchange for MangroveAI JWT
curl -X POST http://localhost:5001/api/v1/auth/login \
-H "Content-Type: application/json" \
-d '{
"firebase_token": "YOUR_FIREBASE_TOKEN"
}'
{
"success": true,
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6...",
"refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6...",
"user": {
"id": "uuid",
"name": "John Doe",
"email": "john@example.com",
"org_id": "uuid"
}
}
- Access token: 1 hour
- Refresh token: 30 days
Step 3: Use JWT for API Requests
curl -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
http://localhost:5001/api/v1/signals
API Key Authentication (Recommended for Programmatic Access)
Generate an API Key
Requires an active JWT session first:
curl -X POST http://localhost:5001/api/v1/auth/api-keys \
-H "Authorization: Bearer YOUR_JWT_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Production Server Key",
"scopes": ["read:strategies", "write:backtests"],
"expires_days": 365
}'
{
"success": true,
"key": "dev_a1b2c3d4e5f6...",
"key_id": "uuid-here",
"key_prefix": "dev_a1b2c3d4",
"name": "Production Server Key",
"created_at": "2025-12-01T10:00:00Z",
"expires_at": "2026-12-01T10:00:00Z"
}
Save the key value immediately. It is only shown once and cannot be retrieved later.
Use the API Key
curl -H "Authorization: Bearer dev_a1b2c3d4e5f6..." \
http://localhost:5001/api/v1/signals
Token Refresh
When your access token expires, use the refresh token to obtain a new one:
curl -X POST http://localhost:5001/api/v1/auth/refresh \
-H "Content-Type: application/json" \
-d '{
"refresh_token": "YOUR_REFRESH_TOKEN"
}'
API Endpoints
| Method | Endpoint | Description |
|---|
POST | /api/v1/auth/login | Exchange Firebase token for JWT |
POST | /api/v1/auth/refresh | Refresh access token |
GET | /api/v1/auth/profile | Get current user profile |
PUT | /api/v1/auth/profile | Update user profile |
POST | /api/v1/auth/api-keys | Generate new API key |
GET | /api/v1/auth/api-keys | List all API keys |
DELETE | /api/v1/auth/api-keys/{key_id} | Revoke an API key |
GET | /api/v1/auth/is-admin | Check admin status |
Authorization Levels
| Level | Required | Access |
|---|
| Authenticated User | Valid JWT or API key | Own data only (strategies, backtests, conversations) |
| Management User | Management API key or admin email | All user data, platform administration |
| Unauthenticated | None | Health checks and Swagger docs only |
Error Responses
401 Unauthorized — Token missing, invalid, or expired:
{
"error": "Unauthorized",
"message": "Invalid or expired token"
}
{
"error": "Forbidden",
"message": "Insufficient permissions for this operation"
}
Security Best Practices
- Never commit tokens or API keys to version control
- Use environment variables for API keys in production
- Rotate API keys regularly — generate new keys, revoke old ones
- Use minimal scopes — only request the permissions you need
- Set expiration dates on API keys
- Store access tokens in memory (not localStorage) for frontend apps
- Store refresh tokens in httpOnly secure cookies or secure storage
