Authentication
All API requests require a Bearer token in the Authorization header.
Authorization: Bearer eyJhbGciOiJFZERTQS...
Creating an API key
- Log in to Docwize and navigate to Settings > API Keys
- Click Create API Key
- Enter a name and select the required scopes
- Copy the token immediately — it is shown only once and cannot be retrieved later
Token payload
The JWT contains these claims:
| Claim | Type | Description |
|---|---|---|
company_login | string | The organisation code this token authenticates against. All API requests are scoped to this organisation's data. |
scope | string | Comma-separated list of granted scopes (e.g. "documents_read,documents_write,search"). Determines which endpoints the token can access. |
token_type | string | Either "user" or "full_control". A user token inherits the document permissions of the associated user. A full_control token has unrestricted access to all documents. |
user_email | string or null | For user tokens, the email of the user whose permissions the token inherits. null for full_control tokens. |
name | string | The human-readable name given to the API key at creation time. |
exp | integer | Token expiry as a Unix epoch timestamp. Requests made after this time are rejected with 401. |
Scopes
Each endpoint requires a specific scope. A token with full_control in its scope list bypasses all scope checks.
| Scope | Grants access to |
|---|---|
documents_read | Get File Information, Download, Download URL, Version History, List Folders, Schema Fields, Schema Values |
documents_write | Upload Document, Upload Version, Update File, Create Folder, Move Folder, Delete Folder |
search | Search |
Token revocation
Tokens can be revoked at any time from Settings > API Keys in the Docwize portal. Revoked tokens are rejected immediately on the next API call — there is no grace period.