Authentication

ZenCore supports three authentication methods depending on the use case.

OTP → JWT (User Authentication)

For human users (admin dashboard, mobile app, booking apps).

Step 1: Request OTP

POST /api/v1/auth/otp/request
Content-Type: application/json

{
  "email": "user@example.com"
}

A one-time password is sent to the user's email.

Step 2: Verify OTP

POST /api/v1/auth/otp/verify
Content-Type: application/json

{
  "email": "user@example.com",
  "otp": "123456"
}

Response:

{
  "data": {
    "access_token": "eyJhbGciOiJIUzI1NiIs...",
    "user": {
      "id": "usr-abc123",
      "email": "user@example.com",
      "name": "John Doe"
    }
  }
}

Step 3: Use JWT

Include the token in all subsequent requests:

Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

API Key (System Integration)

For machine-to-machine communication between services (e.g., ZenEdge → ZenCore).

x-api-key: your-system-api-key

API keys have full system-level access. Keep them secure.

Org API Key (Organization-Scoped)

For external integrations scoped to a single organization with permission-based access.

x-org-api-key: your-org-api-key

Org API Keys:

Are scoped to one organization
Carry a specific set of permissions (read/write per resource)
Are managed via the admin dashboard or API

Token Lifecycle

Aspect	Detail
JWT expiration	Configurable via `JWT_SECRET` and auth settings
OTP expiration	Short-lived (typically 5-10 minutes)
API Key	Long-lived, revocable via admin dashboard

Next Steps

Organizations — Manage organizations
Authentication Guide — Implementation guide

OTP → JWT (User Authentication)​

Step 1: Request OTP​

Step 2: Verify OTP​

Step 3: Use JWT​

API Key (System Integration)​

Org API Key (Organization-Scoped)​

Token Lifecycle​

Next Steps​