Authentication

drop.mov API uses three authentication methods depending on the context.

Authentication Methods

1. Bearer Token (JWT)

Used for authenticated user operations (/v1/user/*).

http

Authorization: Bearer <jwt_token>

The JWT token is obtained from Supabase Auth after user login.

Example:

bash

curl -X GET https://api.drop.mov/v1/user \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..."

2. Manager Token

Used for media group management operations (/v1/manager/*).

http

Drop-Manager-Token: <manager_token>

Manager tokens are returned when creating a media group or can be retrieved from existing groups.

Example:

bash

curl -X GET https://api.drop.mov/v1/manager \
  -H "Drop-Manager-Token: mgr_abc123..."

3. Viewer Token

Used for accessing shared media (/v1/viewer/*).

http

Drop-Viewer-Token: <viewer_token>

Viewer tokens are created when generating share links.

Example:

bash

curl -X GET https://api.drop.mov/v1/viewer \
  -H "Drop-Viewer-Token: vwr_xyz789..."

Token Scopes

Manager Token Capabilities

Get/update/delete media group
List/create/update/revoke shares
Delete media sources
Get download/play URLs
Full comment access (CRUD)

Viewer Token Capabilities

Depends on share permissions:

Permission	Capability
(always)	Get media group info
(always)	Get play URLs
`can_download`	Get download URLs
`can_view_comment`	List comments
`can_post_comment`	Create/edit own comments

Error Responses

Missing Token

json

{
  "success": false,
  "error": {
    "errorType": "missing_token",
    "error": "Manager token is required"
  }
}

HTTP Status: 401

Invalid Token

json

{
  "success": false,
  "error": {
    "errorType": "invalid_token",
    "error": "Invalid or expired token"
  }
}

HTTP Status: 401

Expired Token

json

{
  "success": false,
  "error": {
    "errorType": "token_expired",
    "error": "Share link has expired"
  }
}

HTTP Status: 401

Security Best Practices

Token Storage

Browser: Store in memory or secure httpOnly cookies
Server: Use environment variables
Never: Commit tokens to version control

Token Rotation

Manager and Viewer tokens do not expire by default, but:

Viewer tokens can have expiration dates
Tokens can be revoked at any time

HTTPS Only

Always use HTTPS in production. HTTP requests to the production API are rejected.

SDK Authentication

Using the @dropmov/client SDK simplifies authentication:

typescript

import { DropClient } from '@dropmov/client';

// User context with JWT
const client = new DropClient({
  origin: 'https://api.drop.mov',
  getAccessToken: async () => {
    const session = await supabase.auth.getSession();
    return session.data.session?.access_token ?? null;
  },
});

// Manager context
const managerCtx = client.manager(managerToken);

// Viewer context
const viewerCtx = client.viewer(viewerToken);

Authentication ​

Authentication Methods ​

1. Bearer Token (JWT) ​

2. Manager Token ​

3. Viewer Token ​

Token Scopes ​

Manager Token Capabilities ​

Viewer Token Capabilities ​

Error Responses ​

Missing Token ​

Invalid Token ​

Expired Token ​

Security Best Practices ​

Token Storage ​

Token Rotation ​

HTTPS Only ​

SDK Authentication ​

Authentication

Authentication Methods

1. Bearer Token (JWT)

2. Manager Token

3. Viewer Token

Token Scopes

Manager Token Capabilities

Viewer Token Capabilities

Error Responses

Missing Token

Invalid Token

Expired Token

Security Best Practices

Token Storage

Token Rotation

HTTPS Only

SDK Authentication