API keys and OAuth sessions
The two ways to authenticate with Samva — durable API keys for servers and OAuth device-login sessions for people — and how each scopes the organization.
Samva has two credential types. They differ in who is acting and how the organization is chosen. This page explains the model; for the exact key formats and error shapes, see the Authentication reference.
Pick by actor: an API key for servers and automation, an OAuth session for a person at a terminal.
Two credentials
| API key | OAuth session | |
|---|---|---|
| For | Servers, backends, CI | A person (or agent) at a terminal |
| Identity | The key | Your user account |
| Organization | Bound to one org | Any org you belong to; you pick the active one |
| Lifetime | Until revoked | Until the session expires |
An API key carries its organization with it — key-based callers never choose an org. An OAuth session is tied to your user, so it can act on any organization you belong to, and you select the active one.
How device login works
samva login runs the OAuth 2.0 device authorization flow:
- The CLI requests a device code and shows you a verification URL and a short user code.
- It opens your browser (or prints the URL with
--no-browser). - You approve the session in the browser, signed in as your Samva user.
- The CLI receives a session token and stores it locally (mode
0600).
From then on, requests send Authorization: Bearer <token> instead of an X-API-Key header.
Organization scoping
Because a session is user-scoped, the active organization travels separately as the
x-org-slug header:
- In the CLI, set it with
samva org use <slug>. - In the SDK, pass it when you construct an
authTokenclient:
import { createClient } from "samva";
const samva = createClient({
authToken: process.env.SAMVA_AUTH_TOKEN!,
headers: { "x-org-slug": "acme" },
});Session lifetime
Device sessions have no refresh token. A session slides while you use it and expires after a
period of inactivity; when it does, run samva login again. There is nothing to rotate or store
on a server — that is what API keys are for.
Which to use
- API key — anything unattended: a backend sending email, a cron job, CI. One organization, long-lived, stored as a secret.
- OAuth session — interactive work, especially across multiple organizations, where you don't want a long-lived key on your laptop.
Related
Authentication and tenancy
How API keys identify your code to Samva's email API, how organizations isolate your data, and why every record is tenant-scoped.
Deliverability
Understand what affects email inbox placement and how Samva helps — verified sending domains, authentication with DKIM and SPF, suppression and bounce handling, and open and click tracking.