Authentication - Splendor

Splendor uses two pieces of identity on every request:

A bearer token in the Authorization header that identifies you.
A tenant header, X-Splendor-Tenant-Id, that selects which workspace you are acting in.

curl https://api.withsplendor.com/v1/datasets \
  -H "Authorization: Bearer $SPLENDOR_TOKEN" \
  -H "X-Splendor-Tenant-Id: $SPLENDOR_TENANT_ID"

You get both values from the console. Treat the token as a secret: never embed it in client-side code or commit it to version control.

The tenant header

A token can grant access to more than one tenant. The X-Splendor-Tenant-Id header tells Splendor which one this request applies to, and the API enforces that the token actually has access to it. The header is required on every endpoint except two:

GET /v1/me — returns your identity and the tenants you can access, so it runs before you have chosen one.
Workspace provisioning, which is a Splendor-operated endpoint.

Requests that omit the tenant header where it is required return 400. Requests that name a tenant your token cannot access return 403.

Discover your tenants

Call /v1/me to see who you are and which tenants you can select. Use the tenant_id values it returns as your X-Splendor-Tenant-Id.

curl https://api.withsplendor.com/v1/me \
  -H "Authorization: Bearer $SPLENDOR_TOKEN"

Response

{
  "user_id": "user_01H...",
  "email": "you@example.com",
  "is_staff": false,
  "tenants": [
    { "tenant_id": "acme", "name": "Acme", "role": "Admin", "is_admin": true }
  ]
}

Roles

Within a tenant, read and query endpoints are available to any member. Operations that create, change, or delete data — managing sources and connectors, editing detections, deleting datasets, triggering reindexes — require an admin role. Splendor staff operate a separate platform plane that is not part of the customer API. See Roles & permissions for the full breakdown of which operations require which role, and Plans & RBAC for how role enforcement is enabled.

Responses to expect

Status	Meaning
`401`	The token is missing, malformed, or expired.
`403`	The token is valid but lacks access to the selected tenant, or the role required for the operation.
`400`	The tenant header is required for this endpoint and was not supplied.

For the full error model and codes, see Errors.

​The tenant header

​Discover your tenants

​Roles

​Responses to expect

The tenant header

Discover your tenants

Roles

Responses to expect