Skip to content
Auth Service

Admin Authentication

Overview

Section titled “Overview”

All admin endpoints require a Bearer token in the Authorization header. The token must be a valid access token for a user with role = "admin" on the target project (or on proj_admin for super-admin access).

Authentication Header

Section titled “Authentication Header”
Authorization: Bearer <access_token>

Two-Tier Admin Access

Section titled “Two-Tier Admin Access”

Project Admin

Section titled “Project Admin”

A user with role = "admin" on a specific project can manage that project’s resources (users, sessions, PINs, settings).

Token must be valid for the target project:

Access token audience: proj_gym
Target: /admin/projects/proj_gym/users
Result: ✅ Allowed

Super Admin

Section titled “Super Admin”

A user with role = "admin" on proj_admin can manage all projects. This is the highest privilege level.

Access token audience: proj_admin
Target: /admin/projects/proj_gym/users
Result: ✅ Allowed (super-admin can access any project)

Super-admin is required for:

  • POST /admin/projects (create new projects)
  • GET /admin/projects (list all projects)

Getting an Admin Token

Section titled “Getting an Admin Token”
  1. Authenticate via the normal OAuth2 flow against proj_admin (the admin project)
  2. Use the returned access token as your Bearer token
  3. Refresh as needed using the standard refresh flow

Error Responses

Section titled “Error Responses”
StatusCause
401Missing or invalid Bearer token
403Valid token but user is not an admin for the target project

Example

Section titled “Example”
Terminal window
# Get an access token for proj_admin first (via OAuth2 flow)
# Then use it for admin API calls:


curl https://auth.beshoy.ai/admin/projects/proj_gym/users \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiJ9..."