Skip to main content
Seyaha uses three authentication schemes depending on the API you’re calling.

Partner & Affiliate — Bearer JWT

Partner Integration and Affiliate endpoints require a JWT in the Authorization header: 
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
How to get a JWT: Log in through the Seyaha platform (partner portal or affiliate onboarding). JWTs are short-lived — refresh them before expiry using the auth refresh endpoint.
Partner JWTs carry a role claim of partner. Affiliate JWTs carry role: user. Admin endpoints additionally require role: admin — contact Seyaha to provision admin credentials.

Reseller — API Token

Reseller endpoints use a static API token passed as a custom header: 
x-api-token: rsl_live_abc123def456
How to get your API token: Your token is issued by a Seyaha admin when your reseller account is approved. Tokens do not expire but can be rotated by contacting support.
Treat your API token like a password. Never expose it in client-side code or public repositories. If compromised, contact [email protected] immediately.

Webhooks — Webhook Secret

When your partner integration is created, Seyaha generates a webhook_secret and returns it in the creation response. Use it to authenticate inbound webhook calls to Seyaha: 
POST /api/v1/partner-integrations/{id}/sync/trigger
x-webhook-secret: 64hex-char-secret
The secret is stored hashed — it is only shown once at creation time. If you lose it, delete and recreate the integration.

Quick reference

APIHeaderValue
Partner IntegrationAuthorizationBearer <JWT>
Resellerx-api-token<static token>
AffiliateAuthorizationBearer <JWT>
Webhooks (inbound)x-webhook-secret<webhook secret>