Client Token Auth
To protect your billing credentials and developer keys, browser-facing applications must authenticate using short-lived Client Tokens.
Authentication Lifecycle
Token Generation Endpoint
On your backend application server, generate a token using your master API key:
typescript
// Node.js Express example
app.get("/api/uclaw-token", async (req, res) => {
// Ensure the user is logged in first
if (!req.session.userId) {
return res.status(401).send("Unauthorized");
}
const response = await fetch("https://api.uclaw.dev/v1/client-tokens", {
method: "POST",
headers: {
"Content-Type": "application/json",
Authorization: `Bearer ${process.env.UCLAW_API_KEY}`,
},
body: JSON.stringify({
appId: "default",
// Restrict this token to the user's isolated workspace
userId: req.session.userId,
ttl: 3600, // 1 hour expiration
}),
});
const data = await response.json();
res.json({ token: data.token });
});To learn about the lower-level communication frames sent over WebSockets, check out the Messaging Protocol.