Authentication & Security

Format, Validate, and Convert JSON Instantly

Every API request to JSONify must include a valid bearer token in the Authorization header. Tokens are scoped to your workspace, expire after 90 days of inactivity, and support granular permissions for read, write, and admin operations.

Getting Started

Generate an API Key

Navigate to Settings → API Keys in your dashboard. Click Create Key, assign a descriptive name like "CI/CD Pipeline" or "Staging Integrations," and select the scopes your integration requires. The key is displayed once — copy it immediately and store it in your environment variables.

Token Format

Bearer Token Authentication

Include your key on every request using the standard Bearer scheme:

Authorization: Bearer sk_jf_9x2mKp4Rt7vLq8wN3c

Tokens beginning with sk_jf_ are standard keys; those prefixed with rk_jf_ are read-only. Requests missing a valid token receive a 401 Unauthorized response with a JSON error body.

Lifecycle

Rotate & Revoke Keys

Rotate keys before they expire to avoid downtime. In the dashboard, click Regenerate on any active key — the old value is invalidated immediately, and a new 32-character key is issued. Revoke keys you no longer need; revoked keys are purged from our systems within 24 hours.

OAuth 2.0 Integration

For applications that manage multiple users or organizations, JSONify supports OAuth 2.0 with the authorization code flow. This lets your users grant scoped access without sharing their own API keys.

JSONify dashboard showing the OAuth application configuration panel with client ID, redirect URI, and scope selection fields

Register your application under Settings → OAuth Apps to receive a client_id and client_secret. Set your redirect URI to match the callback endpoint in your application — for example, https://app.example.com/auth/jsonify/callback. Select the scopes you need: json:read, json:write, schemas:read, or workspace:admin.

After the user authorizes, JSONify redirects back to your callback with an authorization code. Exchange that code for an access token and refresh token by posting to https://api.jsonify.dev/oauth/token. Access tokens are valid for one hour; refresh tokens persist for 180 days unless the user revokes access.

PKCE

Public Clients Supported

Single-page apps and mobile clients can use the authorization code flow with PKCE (Proof Key for Code Exchange). Generate a code_verifier and code_challenge on the client side, send the challenge in the authorization request, and redeploy the verifier during the token exchange. No client_secret is required.

Revocation

Token Revocation Endpoint

Revoke any active token by sending a POST to https://api.jsonify.dev/oauth/revoke with your client_id, client_secret, and the token to invalidate. The endpoint returns 200 OK on success. Revoked tokens cannot be refreshed or restored.

Security Best Practices

JSONify enforces rate limiting, injects standard security headers on every response, and provides visibility into your usage so you can detect anomalies early.

Rate Limiting

Headers & Limits

Every API response includes rate-limit headers so your application can adapt gracefully:

X-RateLimit-Limit: 1200 — maximum requests per hour
X-RateLimit-Remaining: 847 — requests left in the current window
X-RateLimit-Reset: 1718439600 — Unix timestamp when the window resets

When you exceed the limit, JSONify returns 429 Too Many Requests with a Retry-After header indicating the wait time in seconds. Implement exponential backoff in your client to avoid cascading failures.

Response Headers

Security Headers

All JSONify endpoints return a strict set of security headers to protect against common web vulnerabilities:

Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src 'none'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin

These headers are applied universally and cannot be overridden per-request. They ensure that even if your application embeds JSONify responses in an iframe or proxy, the browser enforces the strongest available protections.

Monitoring

Audit Logs & Alerts

Every authentication event — key creation, token refresh, OAuth grant, and revocation — is recorded in your workspace audit log. Logs are retained for 365 days and can be exported as JSON. Set up webhook alerts to receive a notification when a key is rotated, a new OAuth app is registered, or a suspicious burst of 401 errors is detected from a single IP address.

Open API Reference View Dashboard → API Keys