Authentication
Learn how to authenticate your API requests.
Authentication Reference
ZeroDrive supports multiple authentication methods for different use cases.
Authentication Methods
| Method | Use Case | Token Lifetime |
|---|---|---|
| API Keys | Server-to-server, scripts, integrations | Until revoked |
| JWT Tokens | Mobile applications | 30 days |
| Session Cookies | Web application (browser) | Session-based |
API Key Authentication
The recommended method for programmatic access.
Obtaining an API Key
- Log into ZeroDrive at drive.futurixai.com
- Go to Settings > Developer > API Keys
- Click Create New API Key
- Configure name, permissions, and optional expiration
- Copy the generated key (shown only once)
Using an API Key
Include the API key in the Authorization header:
cURL Example
JavaScript Example
Python Example
API Key Format
API Key Permissions
When creating an API key, select which endpoints it can access:
File Permissions
Folder Permissions
Workspace Permissions
Trash Permissions
Managing API Keys
List All Keys
Response
Create New Key
Response
Important: The full key is only shown once at creation. Store it securely.
Update Key Permissions
Revoke Key
Check Usage Statistics
Response
API Key Limits
- Maximum keys per user: 10
- Key expiration: Optional (can be set at creation)
- Rate limits: Standard rate limits apply per key
JWT Token Authentication (Mobile)
For mobile applications using the ZeroDrive mobile SDKs.
Obtaining a JWT Token
Login with Email/Password
Response
Login with Google OAuth
Login with Microsoft OAuth
Using JWT Tokens
Same as API keys, include in Authorization header:
JWT Token Structure
Token Properties
| Property | Description |
|---|---|
userId | User's unique identifier |
email | User's email address |
tokenId | Reference to database token record |
iat | Issued at timestamp |
exp | Expiration timestamp (30 days) |
Refreshing Tokens
JWT tokens expire after 30 days. To get a new token:
- User logs in again
- New token is issued
- Old token remains valid until expiration
Revoking Mobile Tokens
Users can revoke mobile tokens from their account settings to log out devices remotely.
Session Authentication (Web)
For the ZeroDrive web application. Uses secure HTTP-only cookies.
How It Works
- User logs in via web interface
- Session cookie is set automatically
- Browser sends cookie with each request
- Session validated server-side
Not for API Usage
Session authentication is designed for browser use only and is not recommended for API integrations. Use API keys instead.
Authentication Errors
401 Unauthorized
Causes:
- Missing Authorization header
- Invalid API key or JWT token
- Expired token
403 Forbidden
Causes:
- API key lacks permission for the endpoint
- Attempting to access another user's resources
Security Best Practices
1. Protect Your Keys
2. Use Minimal Permissions
Only grant permissions your application needs:
3. Set Expiration for Temporary Keys
4. Rotate Keys Regularly
- Create new keys periodically
- Update your applications
- Revoke old keys
5. Monitor Usage
Regularly check your API key usage for unusual activity:
6. Use HTTPS Only
All API requests must use HTTPS. HTTP requests are rejected.
7. Implement Proper Error Handling
Authentication Flow Diagram
Quick Reference
API Key Request
JWT Token Request
Check Current User
Response
Previous: API Reference Introduction