← Developer guides

Choose your auth mode

Two ways to authenticate the SDK — a decision tree for whether you need an API key or a session JWT.

The SDK supports two auth modes. Picking the right one depends on where the code that calls the SDK actually runs — not which is more convenient.

The decision tree

Is this code running on your server (Node.js backend, cron job, internal service)? → Use API key mode. Pass your key as apiKey. See Get your API key.

const ai = new Quravin({
  endpoint: process.env.QURAVIN_URL,
  apiKey:   process.env.QURAVIN_KEY,   // from your secrets store — never commit
});

Is this code running in a user’s browser? → Use session JWT mode. Your server mints a short-lived, per-user token and hands it to the page — the browser never sees client_secret or a static API key.

const ai = new Quravin.Quravin({
  endpoint: "https://api.example.com/ai-pipeline",
  sessionToken: await fetchToken(),   // from your own backend endpoint
  onTokenExpired: fetchToken,          // auto-refresh on 401
});

Why this matters

An API key is a bearer credential — anyone who reads it from your page source has full access to everything your app can do. A session JWT is scoped to one user, expires in minutes, and is minted fresh by your own server on every page load.

Rule of thumb: if the code ships to a browser, it needs a session JWT, not an API key.

Next: Integrate into your own server shows the token-minting endpoint that issues session JWTs.