Authentication
BaseID Cloud supports two authentication methods:
- API keys — for programmatic/server-to-server access (
bsk_live_...) - Session tokens — for dashboard/browser access (returned by login)
Both are passed in the Authorization header:
Authorization: Bearer <token>Register
Section titled “Register”Create a new user account and tenant organization.
POST /v1/auth/registerRequest body
Section titled “Request body”| Field | Type | Required | Description |
|---|---|---|---|
email | string | Yes | User email address |
password | string | Yes | Password (minimum 8 characters) |
display_name | string | Yes | User’s display name |
tenant_name | string | Yes | Organization name |
tenant_slug | string | Yes | URL-safe slug (lowercase, hyphens, numbers) |
Response
Section titled “Response”{ "token": "a1b2c3d4e5f6...", "user_id": "550e8400-e29b-41d4-a716-446655440000", "tenant_id": "6ba7b810-9dad-11d1-80b4-00c04fd430c8", "role": "owner"}The registering user is automatically assigned the owner role with full permissions.
Authenticate with email and password.
POST /v1/auth/loginRequest body
Section titled “Request body”| Field | Type | Required | Description |
|---|---|---|---|
email | string | Yes | User email address |
password | string | Yes | Password |
tenant_slug | string | No | Tenant to log into (for users in multiple orgs) |
Response
Section titled “Response”{ "token": "a1b2c3d4e5f6...", "user_id": "550e8400-...", "tenant_id": "6ba7b810-...", "role": "owner"}If tenant_slug is omitted and the user belongs to multiple tenants, the first tenant is used.
Get current user
Section titled “Get current user”Returns the authenticated user’s profile, role, permissions, and tenant list.
GET /v1/auth/meAuthorization: Bearer <token>Response
Section titled “Response”{ "user_id": "550e8400-...", "email": "alice@example.com", "display_name": "Alice Martin", "tenant_id": "6ba7b810-...", "role": "owner", "permissions": [ "credentials:issue", "credentials:verify", "credentials:revoke", "credentials:list", "dids:create", "dids:list", "dids:deactivate", "members:invite", "members:remove", "members:update_role", "..." ], "tenants": [ { "id": "6ba7b810-...", "name": "Alice Corp", "slug": "alice-corp", "role": "owner" } ]}Logout
Section titled “Logout”Invalidate the current session.
POST /v1/auth/logoutAuthorization: Bearer <token>Response
Section titled “Response”{ "status": "logged_out" }API keys
Section titled “API keys”API keys provide programmatic access without a session. Create them via the Admin API.
Format: bsk_live_<48 hex characters>
API keys inherit the creating user’s role permissions, or can be scoped to
a subset (e.g., only credentials:issue and credentials:verify).
# Use an API keycurl https://api.baseid.cloud/v1/credentials \ -H "Authorization: Bearer bsk_live_a1b2c3d4..."API keys are hashed (SHA-256) before storage — the plaintext key is only shown once at creation time.
See also
Section titled “See also”- Security Model concept — password hashing, key storage, encryption
- Team & RBAC — roles and permissions
- Errors & Limits — authentication error handling