Authentication models
Applies to: Direct API and Managed API
Audience: Backend developers
Last updated: March 8, 2026
Crittora supports two authentication models in the docs today: bearer-token auth for the Direct API and request-time credential auth for the Managed API.
Direct API auth
The Direct API flow authenticates first, then uses a bearer token for subsequent API calls. This model fits both the JS and Python SDKs, as well as raw HTTP clients.
- Authenticate with Cognito credentials or use the runtime SDK's built-in auth provider.
- Store and refresh tokens on the server side.
- Send a bearer token to the Direct API host.
Managed API auth
The Managed API accepts username, password, api_key, access_key, and secret_key with each request. Crittora performs the Cognito interaction on behalf of the caller.
- Use a dedicated backend service account.
- Keep all five credentials in a secure secret store.
- Send credentials only from trusted server-side code.
Security requirements
- Always use HTTPS.
- Rotate credentials and tokens according to your internal policy.
- Do not log passwords, secrets, or bearer tokens.
- Prefer short-lived credentials and tightly scoped backend access.