The Aplauso API uses Firebase Authentication ID tokens as bearer tokens. Most endpoints require a valid token; a few guest-facing endpoints (such as creating a tip from a kiosk) are publicly accessible.
Getting a Token
From a Firebase Client SDK (frontend apps)
import { getAuth } from "firebase/auth";
const auth = getAuth();
const user = auth.currentUser;
if (user) {
const idToken = await user.getIdToken();
// idToken is a signed JWT string
}
Tokens expire after 1 hour. The Firebase SDK refreshes them automatically. Always call getIdToken() immediately before each request rather than caching the result.
From the Firebase Admin SDK (server-side)
import admin from "firebase-admin";
// After initializing the Admin SDK with your service account:
const customToken = await admin.auth().createCustomToken(uid);
// Exchange the custom token for an ID token using the REST API
For server-to-server calls, use a service account with Firebase Admin SDK and create a custom token, then exchange it for an ID token via the Firebase Auth REST API.
Sending the Token
Include the token in the Authorization header of every request:
Authorization: Bearer <idToken>
Example:
GET /v2/analytics?type=employee&employeeId=abc123&environment=live
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
Which Endpoints Require Auth
| Auth Required | Endpoints |
|---|---|
| Always required | Wallet, Dividends (PATCH), Employees (POST), Properties, Insights, Admin |
| Optional (enriches data if provided) | Tips (POST/GET), Ratings (POST/GET), Visits (POST), Guests (GET) |
| Never required | Stripe publishable key, Monitoring health check |
When a token is provided on optional endpoints, the createdBy field on the created record is set to the authenticated user's UID.
Roles and Permissions
Every authenticated user has a numeric role stored in their Firestore user document:
| Role | Value | Typical Capabilities |
|---|---|---|
| Employee | 10 | Read own tips/ratings/wallet; update own profile |
| Front Desk | 20 | Employee + limited team visibility |
| Manager | 30 | Front Desk + create invites, view team analytics |
| Outlet Admin | 40 | Manage outlet-scoped employees and analytics |
| Department Admin | 50 | Manage department-scoped data |
| Property Admin | 60 | Full property management, Stripe billing, all property analytics |
| Regional Admin | 70 | Multi-property management |
| System Admin | 100 | Full platform access |
The role is validated server-side. Attempting to access a resource outside your role scope returns 403 Forbidden.
Scope Validation
In addition to role level, the API validates that the authenticated user has access to the specific organization, property, or department being queried. For example:
- A PropertyAdmin at Property A cannot read data for Property B.
- An Employee can only read their own tip and dividend records.
Pass the correct propertyId or organizationId in your requests and ensure your token belongs to a user with the appropriate role at that scope.
Token Errors
| Error | Cause | Fix |
|---|---|---|
401 Unauthenticated | No or malformed Authorization header | Include Bearer <idToken> header |
401 Token expired | ID token older than 1 hour | Call user.getIdToken(true) to force refresh |
403 Forbidden | Valid token but insufficient role | Use an account with the required role |