DocuClipper logo

Authentication

New integrations use Personal Access Tokens (PATs) on the Agent API. Existing customers using the legacy /protected/* endpoints continue with their JWT.

Personal Access Tokens (recommended)

Generate a PAT in the web UI under Account → API. Tokens look like:

dcp_AbCdEfGhIjKlMnOpQrStUvWxYz0123456789-_AbCdEfG

The full plaintext is shown once at creation. Store it in a secret manager, we only keep a SHA-256 hash, so we can't recover it for you. Revoke and rotate freely; tokens are independent of your web session and can be scoped or expired per-token.

Header

http
Authorization: Bearer dcp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Verify your token

bash
curl -H "Authorization: Bearer $PAT" \
  https://www.docuclipper.com/api/v1/agent/whoami

Returns { userId, email, contractId, planName, authMethod: "pat", scopes }.

Where PATs work

  • Yes: all /api/v1/agent/* endpoints (recommended path).
  • Yes: all /api/v1/agent/mcp/* tool dispatch endpoints.
  • No: legacy /api/v1/protected/* endpoints, those still require a session JWT.

Legacy JWT auth (existing customers)

The /protected/* endpoints accept a session JWT in the same Authorization: Bearer ... header. JWTs are issued by the web app login flow. New integrations should prefer PATs on /agent/*.

Errors

401 Unauthorized, missing token, wrong format, revoked, or expired. 403 Forbidden, valid token but insufficient permissions. See Errors for full error codes.