Choose your auth mode
Two ways to authenticate the SDK — a decision tree for whether you need an API key or a session JWT.
The SDK supports two auth modes. Picking the right one depends on where the code that calls the SDK actually runs — not which is more convenient.
The decision tree
Is this code running on your server (Node.js backend, cron job, internal service)?
→ Use API key mode. Pass your key as apiKey. See Get your API
key.
const ai = new Quravin({
endpoint: process.env.QURAVIN_URL,
apiKey: process.env.QURAVIN_KEY, // from your secrets store — never commit
});
Is this code running in a user’s browser?
→ Use session JWT mode. Your server mints a short-lived, per-user token and hands it to the
page — the browser never sees client_secret or a static API key.
const ai = new Quravin.Quravin({
endpoint: "https://api.example.com/ai-pipeline",
sessionToken: await fetchToken(), // from your own backend endpoint
onTokenExpired: fetchToken, // auto-refresh on 401
});
Why this matters
An API key is a bearer credential — anyone who reads it from your page source has full access to everything your app can do. A session JWT is scoped to one user, expires in minutes, and is minted fresh by your own server on every page load.
Rule of thumb: if the code ships to a browser, it needs a session JWT, not an API key.
Next: Integrate into your own server shows the token-minting endpoint that issues session JWTs.