TixCore
Back to site

Authentication

Server-to-server calls authenticate with an API key. Dashboard sessions use Supabase Auth.

API keys

Every REST request includes your key in the x-tixcore-key header (an Authorization: Bearer header also works). Keys are scoped to a single organization.

bash
curl https://your-app.netlify.app/api/v1/analytics \
  -H "x-tixcore-key: tix_live_•••••"
Never expose a secret API key in client-side code. For browser checkout, the SDK only ever needs the public key_id returned by the order endpoint — your gateway secret stays on the server.

How keys are stored

TixCore stores only a SHA-256 hash of each key plus a short public prefix (for display). The raw key is shown exactly once at creation. Revoking a key sets revokedAt and it stops authenticating immediately.

Dashboard sessions

The dashboard uses Supabase Auth (email magic link or Google OAuth). Sessions are cookie-based and refreshed by middleware. Server actions and pages resolve the current user and enforce role permissions through the requirePermission() guard.

Roles

  • Owner — full control, including billing and members.
  • Admin — everything except org deletion/billing.
  • Manager — events, coupons, scanners, analytics.
  • Scanner — read events/tickets and perform scans.
  • Volunteer — scan only.