Authentication

Bearer JWTs from Keycloak for users and X-Capreolus-SDK-Key for mobile SDKs.

Capreolus has two authentication modes: user JWTs (issued by Keycloak) for dashboard-style requests, and a publishable SDK key for mobile clients.

User JWT

Sign in to dashboard.capreolus.app; the dashboard stores a Keycloak-issued access token. For programmatic use, exchange an OIDC client credentials grant or use the user's personal access token from Settings → Tokens.

bash

curl https://api.capreolus.app/v1/projects \
  -H "Authorization: Bearer $JWT"

Tokens carry the user id and the org id in custom claims. Capreolus rejects tokens whose aud is not the API client.

SDK key

Mobile SDKs ship with a publishable key (pub_xxx) scoped to a single Capreolus app. Send it as a header — never as a URL param.

http

X-Capreolus-SDK-Key: pub_xxx

SDK keys can only call the ingest endpoints: event tracking, identify, crash reports, and feedback submission. They cannot read any other org or app data.

Personal access tokens

For CI / scripts, generate a personal access token. Tokens inherit your role and can be scoped further at issue time.

read:projects
write:projects
read:agents
write:agents
admin:org

Never paste a personal access token or a JWT into a mobile client. Use the SDK key instead — it cannot read sensitive data and can be rotated cheaply.