← Docs API Reference

Authentication.

All API requests require a Bearer token in the Authorization header. Tokens are scoped to an organization and carry role-based permissions.

API Keys

API keys are prefixed with oi_live_sk_ (production) or oi_test_sk_ (sandbox). Generate keys from your admin dashboard. Keys never expire but can be revoked at any time.

Example Request

curl -X GET https://api.openinsure.dev/v1/policies \
  -H "Authorization: Bearer oi_live_sk_abc123..."}

JWT Tokens

Portal users (policyholders, producers) authenticate via short-lived JWT tokens issued by the /auth/token endpoint. Tokens contain org, role, and sub claims.

Roles

admin

underwriter

finance

producer

policyholder

org_admin

Each endpoint specifies which roles are permitted. Requests with insufficient permissions receive a 403 response.

Row-Level Security

All queries are automatically scoped to the authenticated organization. Cross-tenant data access is architecturally impossible. The database enforces isolation at the query layer, not the application layer.