Authentication
All Factory OS API requests are authenticated with a Supabase JWT bearer token.
The Factory OS API uses Supabase Auth JWTs. Every request (except /health and public auth endpoints) must include a valid bearer token.
Token format
Authorization: Bearer <supabase_access_token>Tokens are scoped to the user who issued them. The API automatically enforces organization and factory access based on the user's role assignments.
Getting a token
Sign in at xentr.ai. Your session token lives in local storage under sb-*-auth-token. This is fine for quick testing.
Use the Supabase JS client to sign in with email/password, OTP, or OAuth:
import { createClient } from '@supabase/supabase-js';
const supabase = createClient(
process.env.SUPABASE_URL!,
process.env.SUPABASE_ANON_KEY!,
);
const { data } = await supabase.auth.signInWithPassword({
email: 'you@company.com',
password: '...',
});
const token = data.session?.access_token;Long-lived service tokens for CI/CD and server-to-server integrations are on the roadmap.
Roles
Xentr has six canonical roles that gate API access:
| Role | Scope |
|---|---|
xentr_platform_owner | Full platform access |
xentr_account_manager | Customer provisioning |
organization_admin | Everything within an org |
production_engineer | Machines, routings, telemetry |
production_planner | Work orders, scheduling |
production_qa | Quality checks, defects |
Each API endpoint documents the roles required in its reference page.
Errors
| Status | Meaning |
|---|---|
401 Unauthorized | Missing, invalid, or expired token. Re-authenticate. |
403 Forbidden | Token is valid but the user lacks the role required for this endpoint or resource. |
CORS
Browser requests from these origins are allowed:
https://xentr.aihttps://www.xentr.aihttp://localhost:3000(local development)
For requests from other origins, contact support.