Authentication
Authenticate requests to the Mojar RAG API using a Bearer API key.
Every RAG API endpoint requires a valid Authorization header. The API supports three credential types, all sent as Bearer tokens.
Credential types
Internal API key
Server-to-server integrations use an internal API key. The token must begin with the prefix nest-.
Authorization: Bearer nest-<your_api_key>The server validates the key against the NESTJS_API_KEY environment variable. All endpoints that carry @UseGuards(ApiAuthGuard) accept this credential type.
Supabase user JWT
Authenticated Mojar users can pass their Supabase session token as a standard Bearer token:
Authorization: Bearer <supabase_jwt>The guard delegates validation to Supabase and populates the request with the resolved user object.
Guest tokens
Two guest-token formats are supported for embedded and public-chat contexts. These are issued internally by Mojar — you will not need to construct them manually unless you are building a custom embed.
| Context | Header format |
|---|---|
| Iframe embed | Bearer JWT Guest <jwt> |
| Public chat | Bearer JWT Public Guest <jwt> |
Making your first request
Obtain your internal API key from your deployment configuration (the NESTJS_API_KEY env var).
Add the Authorization header to every request:
curl https://api.mojar.ai/documents/search \
-H "Authorization: Bearer nest-your_api_key" \
-H "Content-Type: application/json"A 401 Unauthorized response means the header is missing or the key is invalid. See Errors and status codes for the full error shape.
What the guard checks
The ApiAuthGuard evaluates the Authorization header in this order:
- If the token starts with
nest-, it is treated as an internal API key and compared againstNESTJS_API_KEY. - If the header starts with
Bearer JWT GuestorBearer JWT Public Guest, it is decoded as a guest JWT. - Otherwise the guard falls back to Supabase user JWT validation.
If none of these checks pass, the request is rejected with 401 Unauthorized.