The wrappers API itself does not issue tokens — token issuance is handled by the auth service that fronts the wrappers deployment. Every request to the wrappers API must include a valid JWT in theDocumentation Index
Fetch the complete documentation index at: https://docs.api.bsa.ai/llms.txt
Use this file to discover all available pages before exploring further.
Authorization header.
If you don’t have a token yet, head to
Authorization for the credential and
token-issuance flow first, then come back here for the per-call
mechanics.
Headers
Authorization rule
All partner-facing endpoints are gated by the admin rule. Effectively: the JWT subject must hold an admin claim that the auth service recognizes. Non-admin tokens will receive a401 Unauthenticated (yes, the API uses the Unauthenticated code for both
missing/invalid tokens and unauthorized roles — the underlying auth
service decides which condition applied).
Token lifecycle
- Tokens have a finite TTL determined by the auth service.
- The wrappers API does not refresh tokens. When a token expires, obtain a new one from the auth service.
- There is no token revocation list maintained inside the wrappers service — revocation is the auth service’s responsibility.
Common auth errors
| Status | Code | Cause |
|---|---|---|
| 401 | unauthenticated | Missing, malformed, or expired token; subject lacks admin claim |
Example
401 unauthenticated on a known-good token, the most common
cause is the token was issued by a different auth realm than the one
configured on the wrappers deployment. Contact your integration
representative to verify.