Skip to main content

Authentication

Dcycle API supports two authentication methods depending on your use case:

API Keys

For programmatic integrations and automations

JWT (Tokens)

For web applications acting on behalf of users

API Keys

API Keys are ideal for:
  • Server-to-server integrations
  • Automated scripts
  • CI/CD pipelines
  • Backend applications

Get an API Key

1

Log in to Dcycle

Go to app.dcycle.io
2

Navigate to API Keys

Organization Settings → API Keys
3

Generate a new key

Click “Generate API Key”
The API Key is only shown once. Save it immediately.

Using your API Key

Include your API Key in the Authorization header with the Bearer scheme: 
curl -X GET "https://api.dcycle.io/api/v1/facilities" \
  -H "Authorization: Bearer your-api-key-here" \
  -H "x-organization-id: your-org-id" \
  -H "x-user-id: your-user-id"

Required Headers

When using API Keys, you must include these headers:
HeaderDescriptionRequired
AuthorizationBearer token with your API Key✅ Yes
x-organization-idYour organization UUID✅ Yes
x-user-idYour user UUID✅ Yes
Content-TypeContent type (for POST/PUT)Only for POST/PUT

JWT Tokens

JWT tokens are ideal for:
  • Web frontend applications
  • Mobile applications
  • Interactive user interfaces

Get a JWT Token

1

Login with email and password

curl -X POST "https://api.dcycle.io/auth/login" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "password": "your-password"
  }'
2

Extract the token from response

{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600
}
3

Use the token in your requests

Include the token in the Authorization header:
curl -X GET "https://api.dcycle.io/api/v1/facilities" \
  -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIs..." \
  -H "x-organization-id: your-org-id" \
  -H "x-user-id: your-user-id"

Token Expiration

JWT tokens expire after 1 hour. When a token expires, you’ll get a 401 Unauthorized error. You’ll need to log in again to get a new token.
Tip: Implement automatic refresh in your application to renew tokens before they expire.

Security Best Practices

  • DON’T save API Keys in source code
  • DON’T commit them to Git/GitHub
  • DON’T share them via email or Slack
  • DO use environment variables
  • DO use secret managers (AWS Secrets Manager, etc.)
All API requests must use HTTPS. HTTP requests will be rejected.
  • Generate new API Keys every 3-6 months
  • Delete old API Keys immediately after migration
  • Use different API Keys for different environments (dev, staging, prod)

API Key Management

List your API Keys

You can view all your active API Keys at: app.dcycle.io/settings/api

Revoke an API Key

If an API Key has been compromised or you no longer need it:
  1. Go to Organization Settings → API Keys
  2. Find the API Key in the list
  3. Click “Revoke”
Once revoked, the API Key will stop working immediately. This action cannot be undone.

Troubleshooting

Error 401: Unauthorized

Possible causes:
  • Invalid or revoked API Key
  • Expired JWT token
  • Incorrect Authorization header format
  • Organization doesn’t have API enabled
Solution: 
# Verify you're using the correct format
Authorization: Bearer your-api-key-or-jwt-token

Error 403: Forbidden

Possible causes:
  • User doesn’t belong to the specified organization
  • Missing x-organization-id header
  • Organization doesn’t have permissions for that resource
Solution: Verify that the x-organization-id corresponds to your organization.

Next Steps

Quickstart

Make your first API call

API Reference

Explore all endpoints