Skip to main content

Authentication

Download this guide

The SNH AI Background Check API uses JWT Bearer tokens. Send a valid JWT on protected routes. GET /health is public in standard deployments (Health check).

Getting sandbox access

Contact SNH AI (support@snh-ai.com) to request sandbox access. You receive a Bearer JWT scoped to your account. The token payload must include the tenant claim SNH AI configures for your environment. Without tenant, protected routes reject the request even when the JWT is otherwise valid. Auth0 machine-to-machine tokens sometimes omit tenant unless your identity provider adds it — ask SNH AI to include that claim. Do not commit client IDs, secrets, or sample JWTs into your codebase or docs.

Using the API reference

  1. Open any page under API Reference (for example Create order).
  2. Click Authorize (Bearer lock).
  3. Paste your JWT. You may include the literal Bearer prefix or omit it; use what your tooling expects consistently.
  4. Use the JSON examples as request bodies. Default host is sandbox (https://sandbox.theary.ai) unless you select another server.

Authentication method

  • Type: Bearer JWT
  • Header: Authorization: Bearer <jwt_token>
Access is organization-scoped: any valid JWT with your tenant claim can call the documented consumer endpoints for that organization. Role-based permission tiers (for example read-only vs. admin) are not exposed on this API surface.

Making authenticated requests

Include your JWT on protected endpoints (example: List orders).
Production: same paths under https://api.theary.ai with production-issued credentials.

Verify your token (tenant claim)

This decodes the JWT payload without cryptographic verification (useful locally; rely on SNH AI issuance for correctness):

Optional: machine-to-machine (client credentials)

If SNH AI provisions an OAuth client for your integration, you can request tokens from your identity provider with client credentials. Prefer a token that already includes the tenant claim when you test. Never publish secrets.

Security

  • Organization isolation requires the tenant claim aligned to your SNH AI organization.
  • Protected routes: all documented integration endpoints except /health require the Bearer JWT.

Troubleshooting

Testing connectivity then auth

GET /health does not require auth:
Then call an authenticated endpoint (for example List orders above) with your Bearer token. Expected healthy response:
Sandbox-specific limits are summarized in Environments.

Error responses

Authentication errors (401)

All token-validation failures (expired, malformed, missing signature, and similar) return the same generic response:

Tenant resolution errors (401)

Missing, unknown, or inactive tenant information also returns 401, with a more specific message:

Next steps

  1. Quickstart
  2. Environments
  3. Create order
  4. API overview