Skip to main content

Authentication

Session Authentication

The primary authentication method is session-based via NextAuth. When signed in through the web application, API requests from the same browser session are automatically authenticated via cookies.

API Key Authentication

Organization administrators can create REST API keys for programmatic access. Keys use the format thig_ followed by 40 hex characters. Manage keys at Settings > Developer or via the REST API Keys API.
REST API keys (format: thig_...) are for programmatic access to the thig.ai API. They are separate from Organization AI API keys (at Settings > API Keys), which manage your AI provider keys (OpenAI, Anthropic, Gemini) for AI generation.
Include the API key in the Authorization header: 
curl -H "Authorization: Bearer thig_your_key_here" \
  https://app.thig.ai/api/projects

Creating API Keys

  1. Navigate to Settings > Developer in your admin dashboard
  2. Click Create API Key
  3. Give the key a descriptive name (e.g., “CI/CD Pipeline”, “Slack Integration”)
  4. Optionally set an expiration date and custom rate limit
  5. Copy the key immediately — it is only shown once

Key Limits by Plan

PlanAPI KeysRate Limit
FreeNo API access
Starter2 keys60 req/min
Professional10 keys60 req/min
EnterpriseUnlimited60 req/min (customizable)

Key Management

  • Deactivate a key to temporarily disable it without deleting
  • Delete a key to permanently revoke access
  • Keys can have optional expiration dates — you’ll receive an email warning 7 days before expiry
  • All API key usage is logged in the audit trail

Error Responses

StatusCodeMeaning
401UNAUTHENTICATEDInvalid, expired, or deactivated key
403FORBIDDENPlan does not include API access
429RATE_LIMITEDRate limit exceeded

Auth Endpoints

Register

name
string
required
Full name of the user
email
string
required
Email address
password
string
required
Password (min 8 chars, must include uppercase, lowercase, and digit)
timezone
string
IANA timezone string (e.g., “America/New_York”)
inviteToken
string
Optional invitation token to join an organization
curl -X POST https://app.thig.ai/api/auth/register \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Jane Doe",
    "email": "jane@example.com",
    "password": "SecurePass1",
    "timezone": "America/New_York"
  }'

Sign Out

curl -X POST https://app.thig.ai/api/auth/sign-out \
  -H "Cookie: next-auth.session-token=YOUR_SESSION"

Forgot Password

curl -X POST https://app.thig.ai/api/auth/forgot-password \
  -H "Content-Type: application/json" \
  -d '{"email": "jane@example.com"}'

Reset Password

curl -X POST https://app.thig.ai/api/auth/reset-password \
  -H "Content-Type: application/json" \
  -d '{
    "token": "reset-token-from-email",
    "password": "NewSecurePass1",
    "confirmPassword": "NewSecurePass1"
  }'

Change Password (Authenticated)

curl -X POST https://app.thig.ai/api/auth/change-password \
  -H "Content-Type: application/json" \
  -H "Cookie: next-auth.session-token=YOUR_SESSION" \
  -d '{"currentPassword": "OldPass1", "newPassword": "NewPass1"}'

Verify Email

curl "https://app.thig.ai/api/auth/verify-email?token=verification-token-from-email"

Resend Verification Email

curl -X POST https://app.thig.ai/api/auth/resend-verification \
  -H "Content-Type: application/json" \
  -d '{"email": "jane@example.com"}'

Permissions

API access respects your organization role:
RoleAccess Level
OwnerFull access to all resources and settings
AdminManage team, templates, and settings
MemberCreate and manage own projects
ViewerRead-only access to shared projects

Security

  • Account lockout after 5 failed login attempts (15-minute lockout, 30-minute reset)
  • Rate limiting on auth endpoints to prevent brute force
  • Passwords hashed with bcryptjs
  • API keys encrypted at rest with AES-256-GCM

Share Token Authentication

Some endpoints support unauthenticated access via share tokens for external collaboration: 
curl -H "x-share-token: SHARE_TOKEN" \
  -H "x-share-password: OPTIONAL_PASSWORD" \
  https://app.thig.ai/api/projects/PROJECT_ID
Supported on: project detail, PRD content, status history, and activity endpoints.