Note: Access tokens are short-lived. When the token expires, call POST /api/v1/auth/refresh (the refresh token is sent automatically via the HTTP-only cookie) to obtain a new access token without re-entering credentials.
Method 2: OAuth2 Client Credentials (Client Way)
Best for: server-to-server communication, scheduled jobs, and microservice-to-microservice calls where no user is involved.
Flow:
POST /api/v1/auth/token with client_id + client_secret + grant_type=client_credentials
Receive an access token in the response body
Send the access token as a Bearer token in the Authorization header
Note: Client credentials are obtained from the Primebrick admin panel or directly from Casdoor. Treat them like passwords — store them in a secrets manager, never in source control.
Method 3: API Key (Third-Party Way)
Best for: third-party integrations, simple scripts, and any scenario where token exchange logic is overkill.
Flow:
Obtain an API key from the Primebrick admin panel
Send the key as an X-API-Key header on every request
No token exchange, no refresh logic, no cookie handling.
Note: API keys are long-lived but revocable from the admin panel. They can also be scoped to specific permissions, limiting what a third party can do if a key is leaked.
Comparison Table
Method
Use Case
Token Type
Expiry
Scopes
User Token
End user login
JWT
Short-lived (refresh)
User permissions
Client Credentials
Server-to-server
JWT
Short-lived
Client permissions
API Key
Third-party integrations
Static key
No expiry (revocable)
Scoped permissions
API Explorer
The API Explorer on this site uses API keys for simplicity. To try the API:
Get an API key from your Primebrick admin panel.
Enter it in the config panel at the top of the API Explorer page.
The key is sent as an X-API-Key header on all requests.
Note: User tokens (username/password → JWT) and OAuth2 client credentials are fully supported by the Primebrick platform, but they are not exposed in the API Explorer REPL yet. The explorer's auth UI supports bearer tokens and API keys. For full OAuth2 flows, use Casdoor directly or your own client.