Skip to main content

Authentication

Dacard.ai uses Clerk for authentication. Most API endpoints require a valid session, but some are publicly accessible.

Authentication methods

Session cookie

__session cookie set automatically when a user signs in via the dashboard. Used by the web app and browser-based integrations.

Bearer token

Authorization: Bearer <jwt> header for server-to-server and programmatic access. JWTs are issued by Clerk.
When a user signs in at app.dacard.ai, Clerk sets a secure __session cookie. All subsequent requests from the browser include this cookie automatically. No additional configuration is needed for browser-based access.

Bearer token (server-to-server)

For programmatic access, include a Clerk-issued JWT in the Authorization header: 
curl -X GET https://app.dacard.ai/api/products \
  -H "Authorization: Bearer eyJhbGciOiJS..."
To obtain a JWT, use the Clerk SDK or the Clerk Frontend API from an authenticated session.

Public endpoints

The following endpoints do not require authentication:
EndpointMethodDescription
/api/score/{id}GETView any scoring result by ID
/api/try-scorePOSTAnonymous scoring (rate-limited)
/api/ogGETOpen Graph image generation
/api/stripe/webhookPOSTStripe webhook receiver

Public routes

These pages are accessible without sign-in:
  • /r/{id}, Shared score result pages
  • /try, Anonymous scoring page
  • /pricing, Pricing page
  • /demo/*, Demo pages
  • /sign-in, /sign-up, Authentication pages

Error responses

When authentication fails, the API returns a 401 Unauthorized response: 
{
  "error": "Authentication required"
}
When a user lacks the required role or permission, the API returns a 403 Forbidden response: 
{
  "error": "Forbidden: insufficient permissions"
}

Role-based access

After authentication, endpoints enforce role-based access control (RBAC). Each user is assigned a role that determines which actions they can perform. See the Roles & Permissions guide for the full permission matrix.