Authentication

Authentication

The Divinci AI SDK supports multiple authentication methods.

API Key Authentication

The simplest method - use an API key directly:

Server SDK

import { DivinciServer } from "@divinci-ai/server";

const divinci = new DivinciServer({
  apiKey: process.env.DIVINCI_API_KEY,
});

Client SDK

import { DivinciClient } from "@divinci-ai/client";

const client = new DivinciClient({
  releaseId: "rel_abc123",
  apiKey: "divinci_key_...",
});

Caution

Never expose API keys in client-side code for production applications. Use JWT tokens or proxy through your backend.

External User Authentication

For embedded chat widgets, identify users with external user data:

const client = new DivinciClient({
  releaseId: "rel_abc123",
  apiKey: "divinci_key_...",
  externalUser: {
    id: "user_123",
    email: "[email protected]",
    tier: "premium",
    metadata: {
      company: "Acme Inc",
    },
  },
});

JWT Token Authentication

For production browser applications, use JWT tokens from your backend:

const client = new DivinciClient({
  releaseId: "rel_abc123",
  getToken: async () => {
    const response = await fetch("/api/divinci-token");
    const data = await response.json();
    return data.token;
  },
});

Your backend generates the token:

// Express backend
app.get("/api/divinci-token", async (req, res) => {
  const token = await divinci.auth.createToken({
    userId: req.user.id,
    releaseId: "rel_abc123",
    expiresIn: "1h",
  });
  res.json({ token });
});

Security Best Practices

1. Never commit API keys - Use environment variables
2. Rotate keys regularly - Update keys periodically
3. Use separate keys - Different keys for dev/staging/production
4. Limit key permissions - Use scoped keys when possible
5. Monitor usage - Track API key usage for anomalies