Skip to main content

Authentication

VH3 Connect exposes two REST API groups for server-to-server integration, plus a User Auth API for interactive applications. You receive a single API key during onboarding; how you send it depends on which API you call.

Two API surfaces

The API key is the same credential for both groups. Intelligence endpoints require your company ID in addition; BigChange proxy endpoints do not.

VH3 AI Intelligence, quick reference

BigChange API, quick reference

User Auth (interactive apps)

Login with email and password on api:lBQnyyZL; use the returned JWT as Authorization: Bearer. No API key in client code. See User Authentication below.

VH3 AI Intelligence authentication

All intelligence-layer endpoints require company ID and API key on every request. These are passed on every request. For POST endpoints, they go in the JSON body. For GET endpoints, they go as query parameters.

POST example (most endpoints)

GET example (feeds, detail lookups)

Requests missing company_id or api_key will receive a 400 response with a Missing param error.

BigChange API authentication

BigChange proxy endpoints use the same API key as the intelligence layer, passed only in the X-API-Key HTTP header. Do not send company_id on these requests, the gateway resolves your tenant and BigChange session from the key.
Missing or invalid X-API-Key returns 401 Unauthorised. Do not put the API key in the JSON body for BigChange endpoints.
Full endpoint list: BigChange API reference.

User Authentication

For interactive applications, custom dashboards, customer portals, embedded tools, VH3 provides per-user authentication with JWT tokens. Users log in with email and password only. The tenant is resolved server-side from their account. After login, every call from the client uses the JWT, no API key is ever involved in client-side code.

How it works

Login

Authenticate a user with email and password. The user’s tenant is resolved server-side, no API key is required from the client.
Response:
Store the authToken in your application (e.g. httpOnly cookie in production). All subsequent requests use Authorization: Bearer <token>, no API key is ever sent from the client.

Token refresh

Refresh an expiring token before it expires. Requires a valid Bearer token.
Response:

Get current user

Retrieve the profile of the authenticated user.
Response:

Token shape

JWT tokens issued by the User Auth API: The same token works across both the User Auth endpoints and the main VH3 data API when configured with Bearer auth middleware.

Using the token in your application

The example below stores the token in localStorage and calls the VH3 API directly from the browser. This is for local development and testing only. In any app that real users can access — including internal tools, partner portals, and MVPs — the token must be stored in an httpOnly secure cookie and all VH3 API calls must originate from your backend server. Calling the VH3 API from browser code means anyone who can open the browser network tab can replay those calls directly against your organisation’s data.
In production: store the authToken from /auth/login in an httpOnly secure cookie on your backend. On every request, your server reads the cookie, calls GET /auth/me to validate the token and retrieve the user’s company, then makes the VH3 API call server-side. The browser never sees the token directly and never calls the VH3 API. See Deploying secure apps for the full frontend/backend pattern.

User Management

VH3 provides two ways to manage users depending on your integration type:
Never call the api:kP8T1CK7 user management endpoints from a browser or mobile app, doing so exposes your API key in client-side code. Use the JWT-authenticated equivalents on api:lBQnyyZL instead.
The section below covers the JWT-based variants for interactive applications. For the server-side company_id + api_key variants, see the Users API reference. Admin users can manage team members via the User Auth API. All user management endpoints require a valid Bearer token from a user with the admin or developer role.

Invite a user

Send an invitation to a new user. Returns an invitation token (valid for 7 days).
Response:

List users

List all active users in the authenticated user’s company.
Response:

Delete a user

Soft-delete a user (sets is_archived to true). Cannot delete your own account.
Response:

Roles


Your credentials

During onboarding you receive:
  • Company ID: your unique tenant identifier
  • API Key: your tenant authentication key
Both are provided by your account manager or visible in your VH3 Connect dashboard settings.

Error responses

All errors follow a consistent format:

Security

Your API key is tenant-scoped and grants access to your organisation’s data only. Treat it like a password, store it in server-side environment variables only. Never include it in client-side code, browser bundles, or mobile apps. For interactive front-ends, use User Authentication (JWT), users log in with email and password only, and the API key is never involved.
  • All requests must use HTTPS
  • API keys can be rotated on request via your account manager
  • JWT tokens expire after 24 hours, use the refresh endpoint to obtain a new token before expiry
  • Store JWT tokens in httpOnly secure cookies in production. localStorage is acceptable for local development only — never in user-facing apps