Auth Flows
This guide helps you choose the right authentication pattern for your DYPAI app.
Use it when deciding:
- whether users can self-register
- whether access should be invite-only
- when to use
jwtendpoints - when to use
api_keyendpoints - how to structure frontend vs server calls
Core Rule
In DYPAI, application-facing HTTP endpoints should use one of these modes:
jwt: request is tied to a signed-in userapi_key: request is tied to the project key, usually from server-side code
Do not design public unauthenticated endpoints.
Quick Decision Table
| Scenario | User can sign up? | Main endpoint mode | Recommended pattern |
|---|---|---|---|
| Public app with account creation | Yes | jwt | Signup + email confirmation + user session |
| Private app for known users only | No | jwt | Admin/invite flow + set-password flow |
| B2B internal portal | Usually no | jwt | Users are provisioned by admin or invite |
| Backend automation / cron / sync | Not applicable | api_key | Server-to-server calls only |
| Mixed app (UI + backend jobs) | Maybe | jwt + api_key | UI uses JWT, backend jobs use API Key |
Flow 1: Public App With User Registration
Use this when:
- users create their own accounts
- the app has login, profile, dashboard, or user-owned data
- workflows need
current_userorcurrent_user_id
Recommended setup:
- Enable signup in Auth.
- Keep email confirmation enabled unless there is a strong reason not to.
- Use
dypai.auth.signUp()anddypai.auth.signInWithPassword()from the app. - Protect business endpoints with
auth_mode: "jwt". - Use
allowed_rolesonly when you need role-based restrictions.
Typical example:
- Marketing site
- SaaS app
- Customer dashboard
JavaScript
const dypai = createClient(process.env.NEXT_PUBLIC_DYPAI_URL!);
await dypai.auth.signUp({
email,
password,
full_name,
});
Use jwt for app screens and user actions:
JavaScript
const { data } = await dypai.api.get('get_profile');
Flow 2: Private App Without Open Registration
Use this when:
- users should not create accounts on their own
- your team decides who gets access
- this is a client project, internal dashboard, partner portal, or staff tool
Recommended setup:
- Do not expose self-service signup in the UI.
- Create users from admin/backend flows.
- Send invite links or recovery-style onboarding links.
- Let the user set their password in your app.
- Keep application endpoints in
jwtmode.
Typical example:
- company backoffice
- client-specific private app
- invited-only B2B product
Recommended onboarding:
- Admin creates or invites the user.
- User opens an invite link to your app callback route.
- SDK emits
PASSWORD_RECOVERY. - Your UI shows a set-password screen.
- User then works normally with JWT session auth.
JavaScript
dypai.auth.onAuthStateChange((event) => {
if (event === 'PASSWORD_RECOVERY') {
// Show set-password screen
}
});
Flow 3: Admin-Provisioned Internal App
This is a stricter version of the private-app pattern.
Use this when:
- only employees, operators, or internal collaborators can enter
- all accounts are created by your team
- roles matter a lot (
admin,editor,viewer, etc.)
Recommended setup:
- No public signup UI.
- Users are created by admin.
- Access to app functionality goes through
jwtendpoints. - Restrict sensitive endpoints with
allowed_roles.
Example role split:
admin: user and system managementeditor: operational workviewer: read-only access
Flow 4: Server-to-Server Or Backend Jobs
Use this when:
- there is no human user session
- a worker, cron job, webhook proxy, or backend process needs to call the engine
- the request should not depend on user identity
Recommended setup:
- Configure the target endpoint with
auth_mode: "api_key". - Call it from server-side code only.
- Send
X-API-KEY. - Do not expose the key in browser code.
Good places to use it:
- Next.js Route Handlers
- Next.js Server Actions
- Server Components that call backend-only logic
- Node workers
- Python jobs
- cron tasks
JavaScript
const dypai = createClient(
process.env.DYPAI_URL!,
process.env.DYPAI_API_KEY
);
await dypai.api.post('sync_data', payload);
Mixed Architecture: UI + Server Jobs
This is very common and usually the cleanest setup.
Pattern:
- browser/app UI uses
jwt - server jobs and backend integrations use
api_key
Example split:
create_order->jwtsync_erp_orders->api_key
This avoids exposing backend credentials in the client while keeping user-facing flows simple.
What To Avoid
Avoid these patterns:
- using
api_keyfrom browser-exposed code - designing open/public endpoints without auth
- mixing user-specific logic into
api_keyendpoints - manually sending
user_idwhen JWT context should provide it - using
api_keyfor normal UI actions whenjwtis the correct model
Recommended By App Type
Consumer / SaaS App
- Signup: yes
- Login: yes
- Main endpoint mode:
jwt - Optional backend endpoints:
api_key
Private Client App
- Signup: no
- Invitation/provisioning: yes
- Main endpoint mode:
jwt - Admin onboarding flow: invite/set-password
Internal Operations App
- Signup: no
- Provisioning: admin only
- Main endpoint mode:
jwt - Strong
allowed_roles: yes
Background Integration Layer
- Signup: not relevant
- User session: no
- Main endpoint mode:
api_key
Practical Recommendation
If you are unsure, start with this:
- For user-facing app screens, use
jwt. - For backend-only automation, use
api_key. - If users should not self-register, remove signup UI and use invite/provisioning flows.