Authorization header.
SDK Tokens
SDK tokens are the primary authentication method for API integrations. They are JWT tokens issued by SOLO and signed with a shared secret (HS256). When to use: Server-to-server integrations, backend services, and the SOLO SDK. SDK tokens include the following claims:| Claim | Description |
|---|---|
sub | The user or service identifier |
permissions | Array of granted permission scopes |
https://api.solo.one/workflow_id | The workflow context for the request |
https://api.solo.one/stakeholder_name | Your organization’s stakeholder name |
https://api.solo.one/stakeholder_type | Stakeholder type classification |
WorkOS Tokens
WorkOS tokens are used for dashboard and frontend authentication. They are verified against WorkOS JWKS endpoints. When to use: The SOLO Network Dashboard and browser-based applications. WorkOS tokens are standard JWTs signed with RS256 and verified using WorkOS’s published JWKS keys at:Permission Scopes
Endpoints may require specific permission scopes. If your token lacks the required scopes, the API returns a403 Forbidden response.
Scopes are included in the permissions claim of the JWT payload and are checked on each request.
Error Responses
| Status Code | Description |
|---|---|
401 Unauthorized | No token provided or token is malformed |
403 Forbidden | Token is valid but lacks required permissions |
Best Practices
Keep tokens server-side
Keep tokens server-side
Never expose SDK tokens in client-side code. Use them only in backend services or server-side API calls.
Handle token expiry
Handle token expiry
SDK tokens have an expiration time. Implement token refresh logic in your integration to avoid interruptions.
Use least-privilege scopes
Use least-privilege scopes
Request only the permission scopes your integration needs. This limits the blast radius if a token is compromised.