Authentication
JWT for the Studio UI, API keys for your apps.
OHM Studio uses two auth mechanisms:
| Mechanism | Where it's used | Header |
|---|---|---|
| JWT | Studio web UI, management endpoints | Authorization: Bearer <jwt> |
| API key | Public extraction endpoints | Authorization: Bearer ohms_live_… |
Why both?
- The Studio UI is a logged-in admin experience. JWT (with silent refresh) gives you the same session ergonomics as the rest of OHM.
- Your production apps need a long-lived, scoped, rotatable credential — that's an API key.
Key modes
| Mode | Prefix | Bundle-safe? | Typical use |
|---|---|---|---|
| Live | ohms_live_* | No | Server-side production |
| Test | ohms_test_* | Yes | Local dev, demos |
The SDK enforces this distinction: @ohm_studio/sdk-react-native refuses to initialise with a live key unless you pass acknowledgeBundledKey: true. See RN key handling.
Scopes
Every key carries one or more scopes:
api:invoke— call the public extraction endpointsapi:read— list APIs / projects (limited)api:write— create / update APIs (rare; usually you use JWT for this)
Default mints get api:invoke only.
Rotation
Keys are bcrypt-hashed at rest. The plaintext is shown once at creation. To rotate:
- Mint a new key with the same scopes.
- Deploy it to your apps.
- Revoke the old key from the Studio Keys page.
Revocation is instant.
Rate limits
- Default: 60 RPM per key
- Override per key, or per API (whichever is lower wins)
- 429 response carries
retry-after(seconds) - The SDK auto-retries on 429 with full-jitter backoff
Org suspension
If your organization is suspended, every Studio call instantly returns 401 — even with a valid key. Reactivating the org restores access without minting new keys.