Authentication
The SNH AI Background Check API uses JWT Bearer tokens. Send a valid JWT on protected routes.GET /health is public in standard deployments (Health check).
Getting sandbox access
Contact SNH AI (support@snh-ai.com) to request sandbox access. You receive a Bearer JWT scoped to your account. The token payload must include thetenant claim SNH AI configures for your environment. Without tenant, protected routes reject the request even when the JWT is otherwise valid. Auth0 machine-to-machine tokens sometimes omit tenant unless your identity provider adds it — ask SNH AI to include that claim.
Do not commit client IDs, secrets, or sample JWTs into your codebase or docs.
Using the API reference
- Open any page under API Reference (for example Create order).
- Click Authorize (Bearer lock).
- Paste your JWT. You may include the literal
Bearerprefix or omit it; use what your tooling expects consistently. - Use the JSON examples as request bodies. Default host is sandbox (
https://sandbox.theary.ai) unless you select another server.
Authentication method
- Type: Bearer JWT
- Header:
Authorization: Bearer <jwt_token>
tenant claim can call the documented consumer endpoints for that organization. Role-based permission tiers (for example read-only vs. admin) are not exposed on this API surface.
Making authenticated requests
Include your JWT on protected endpoints (example: List orders).https://api.theary.ai with production-issued credentials.
Verify your token (tenant claim)
This decodes the JWT payload without cryptographic verification (useful locally; rely on SNH AI issuance for correctness):Optional: machine-to-machine (client credentials)
If SNH AI provisions an OAuth client for your integration, you can request tokens from your identity provider with client credentials. Prefer a token that already includes thetenant claim when you test. Never publish secrets.
Security
- Organization isolation requires the
tenantclaim aligned to your SNH AI organization. - Protected routes: all documented integration endpoints except
/healthrequire the Bearer JWT.
Troubleshooting
Testing connectivity then auth
GET /health does not require auth:
Error responses
Authentication errors (401)
All token-validation failures (expired, malformed, missing signature, and similar) return the same generic response:Tenant resolution errors (401)
Missing, unknown, or inactive tenant information also returns401, with a more specific message: