Authentication
VH3 Connect exposes two REST API groups for server-to-server integration, plus a User Auth API for interactive applications. You receive a single API key during onboarding; how you send it depends on which API you call.Two API surfaces
The API key is the same credential for both groups. Intelligence endpoints require your company ID in addition; BigChange proxy endpoints do not.
VH3 AI Intelligence, quick reference
BigChange API, quick reference
User Auth (interactive apps)
Login with email and password onapi:lBQnyyZL; use the returned JWT as Authorization: Bearer. No API key in client code. See User Authentication below.
VH3 AI Intelligence authentication
All intelligence-layer endpoints require company ID and API key on every request.
These are passed on every request. For
POST endpoints, they go in the JSON body. For GET endpoints, they go as query parameters.
POST example (most endpoints)
GET example (feeds, detail lookups)
BigChange API authentication
BigChange proxy endpoints use the same API key as the intelligence layer, passed only in theX-API-Key HTTP header. Do not send company_id on these requests, the gateway resolves your tenant and BigChange session from the key.
Full endpoint list: BigChange API reference.
User Authentication
For interactive applications, custom dashboards, customer portals, embedded tools, VH3 provides per-user authentication with JWT tokens. Users log in with email and password only. The tenant is resolved server-side from their account. After login, every call from the client uses the JWT, no API key is ever involved in client-side code.How it works
Login
Authenticate a user with email and password. The user’s tenant is resolved server-side, no API key is required from the client.authToken in your application (e.g. httpOnly cookie in production). All subsequent requests use Authorization: Bearer <token>, no API key is ever sent from the client.
Token refresh
Refresh an expiring token before it expires. Requires a valid Bearer token.Get current user
Retrieve the profile of the authenticated user.Token shape
JWT tokens issued by the User Auth API:
The same token works across both the User Auth endpoints and the main VH3 data API when configured with Bearer auth middleware.
Using the token in your application
In production: store the
authToken from /auth/login in an httpOnly secure cookie on your backend. On every request, your server reads the cookie, calls GET /auth/me to validate the token and retrieve the user’s company, then makes the VH3 API call server-side. The browser never sees the token directly and never calls the VH3 API. See Deploying secure apps for the full frontend/backend pattern.User Management
VH3 provides two ways to manage users depending on your integration type:
The section below covers the JWT-based variants for interactive applications. For the server-side
company_id + api_key variants, see the Users API reference.
Admin users can manage team members via the User Auth API. All user management endpoints require a valid Bearer token from a user with the admin or developer role.
Invite a user
Send an invitation to a new user. Returns an invitation token (valid for 7 days).List users
List all active users in the authenticated user’s company.Delete a user
Soft-delete a user (setsis_archived to true). Cannot delete your own account.
Roles
Your credentials
During onboarding you receive:- Company ID: your unique tenant identifier
- API Key: your tenant authentication key
Error responses
All errors follow a consistent format:Security
Your API key is tenant-scoped and grants access to your organisation’s data only. Treat it like a password, store it in server-side environment variables only. Never include it in client-side code, browser bundles, or mobile apps. For interactive front-ends, use User Authentication (JWT), users log in with email and password only, and the API key is never involved.
- All requests must use HTTPS
- API keys can be rotated on request via your account manager
- JWT tokens expire after 24 hours, use the refresh endpoint to obtain a new token before expiry
- Store JWT tokens in
httpOnlysecure cookies in production.localStorageis acceptable for local development only — never in user-facing apps