SuitePortal
Developer Guide

Authentication

Authentication methods for SuitePortal API and portal access

Authentication

SuitePortal uses Better Auth for authentication, supporting multiple methods for different use cases.

Authentication Methods

MethodUse CaseDescription
API KeysServer-to-serverBearer token for programmatic API access
Social LoginPortal usersGoogle, GitHub, Microsoft OAuth
Email OTPPortal usersPasswordless one-time code
Email + PasswordPortal usersTraditional credentials

API Key Authentication

For programmatic API access, use API keys in the Authorization header.

Header Format

Authorization: Bearer sp-{timestamp}-{hash}

Example Request

curl -X GET "https://suiteportal.io/api/v1/invoices" \
  -H "Authorization: Bearer sp-1703123456789-abc123def456"

API Key Properties

PropertyDescription
Formatsp-{timestamp}-{hash}
ScopeOrganization-specific
Default expiration30 days
Rate limitingDisabled

Creating API Keys

See API Keys for instructions on creating and managing keys.

Portal Authentication

Portal users (customers, vendors, employees) authenticate via the web interface.

Social Providers

ProviderStatus
Google✓ Supported
GitHub✓ Supported
Microsoft✓ Supported

Email OTP

Passwordless login via one-time code sent to email:

  1. User enters email address
  2. OTP is sent to email
  3. User enters OTP to complete login

Email + Password

Traditional email and password authentication is supported.

Session Configuration

SettingValue
Session duration3 days
Session update age1 day
Cookie cache5 minutes

Organization Context

API keys and sessions are scoped to an organization:

Portal TypeData Access
TenantAll organization data
CustomerOnly customer's data (RLS filtered)
VendorOnly vendor's data (RLS filtered)

The tenantId is automatically derived from the authenticated context—no tenant parameter is required in API requests.

MCP OAuth (Advanced)

For AI/LLM integrations via the Model Context Protocol, OAuth 2.0 is used:

  1. Register OAuth application
  2. Complete OAuth authorization flow
  3. Use access token in MCP requests

OAuth tables required:

  • oauthApplication
  • oauthAccessToken
  • oauthConsent

Security Best Practices

API Keys

  • Store keys in environment variables, not code
  • Never commit keys to version control
  • Use different keys for development and production
  • Rotate keys regularly
  • Revoke unused keys immediately

Sessions

  • Use HTTPS for all requests
  • Implement CSRF protection in web forms
  • Log out inactive sessions

Error Responses

StatusErrorCause
401API key requiredMissing Authorization header
401Invalid API keyKey not found or expired
403Access deniedUser not organization member

Developer Introduction

Get started with SuitePortal development and API integration

API Keys

Create and manage API keys for SuitePortal API access

On this page

AuthenticationAuthentication MethodsAPI Key AuthenticationHeader FormatExample RequestAPI Key PropertiesCreating API KeysPortal AuthenticationSocial ProvidersEmail OTPEmail + PasswordSession ConfigurationOrganization ContextMCP OAuth (Advanced)Security Best PracticesAPI KeysSessionsError ResponsesRelated