Every request to the Doxbrix API must be authenticated with a token, passed as a bearer token in the `Authorization` header. This page explains how to create tok...
Every request to the Doxbrix API must be authenticated with a token, passed as a bearer token in the `Authorization` header. This page explains how to create tok...
Every request to the Doxbrix API must be authenticated with a token, passed as a bearer token in the Authorization header. This page explains how to create tokens, the scopes that control what a token can do, and the device flow for user-facing tools.
Bearer tokens
Pass your token in the Authorization header on every request:
Authorization: Bearer dxb_…curl https://api.doxbrix.io/v1/me \
-H "Authorization: Bearer $DOXBRIX_TOKEN"Requests without a valid token return 401 Unauthorized.
Creating a token
Go to Settings → Project → API Tokens to create a project-scoped token for the dxb CLI and /api/v1.
Name it and create it.
The token is shown only once. Store it in a secret manager immediately.
Scopes
Scopes limit what a token can do. Grant the minimum a token needs:
| Scope | Allows |
|---|---|
| `project:read` | Read project metadata, structure, search, and quality. |
| `project:admin` | Create and manage projects and settings. |
| `docs:read` | Read pages and content. |
| `docs:write` | Create and update pages and structure. |
| `ai:use` | Call the assistant endpoints. |
docs:write (and docs:read), not project:admin. Over-scoped tokens are a bigger risk if leaked.Authenticating in code
curl https://api.doxbrix.io/v1/projects \
-H "Authorization: Bearer $DOXBRIX_TOKEN"OAuth device flow
For tools that act on behalf of a user (like the CLI), Doxbrix supports the OAuth 2.0 device authorization flow:
POST /v1/auth/device/start returns a device_code, a user_code, and a verification URL.
The user visits the URL and enters the user_code to approve.
POST /v1/auth/device/poll with the device_code until the user approves, then you receive an access token.
See Start device authorization and Poll for token for the endpoint details.
Rotating and revoking tokens
- Rotate a token by creating a new one, updating your integration, then revoking the old one — no downtime.
- Revoke a token any time in Settings → Project → API Tokens (or via
DELETE /auth/tokens/{tokenId}); it stops working immediately.