Authentication - Monterey API

The Monterey API uses Microsoft Entra ID (formerly Azure AD) for authentication and workspace-scoped role-based access control for authorization.

Authentication flow

Every request must include a JWT bearer token from Entra ID in the Authorization header:

Authorization: Bearer <entra-id-jwt>

The API validates the token, extracts the user identity, and resolves their workspace memberships and roles.

The only endpoint that does not require a workspace_id header is GET /auth/me, which returns the authenticated user’s profile and all workspace memberships.

Required headers

Header	Description
`Authorization`	`Bearer <jwt>` from Microsoft Entra ID
`workspace_id`	UUID of the target workspace (required for all endpoints except `/auth/me`)

Roles

Each workspace membership has a role that determines access level:

Role	Permissions
`viewer`	Read-only access to workspace resources
`editor`	Create, update, and delete workspace resources
`admin`	Full access including membership management
`platform_admin`	Cross-workspace access, workspace CRUD, app user management

Dev authentication bypass

For local development, set DEV_AUTH_ENABLED=1 in your environment. This skips Entra ID token validation and returns a mock user for all requests.

Never enable dev auth bypass in production environments.

Example: get current user

curl -H "Authorization: Bearer <token>" \
  http://localhost:8000/auth/me

Response includes the user’s profile, workspace memberships, and roles:

{
  "id": "550e8400-e29b-41d4-a716-446655440000",
  "email": "user@montereyfinancial.com",
  "display_name": "Jane Doe",
  "memberships": [
    {
      "workspace_id": "...",
      "workspace_name": "Collections",
      "role": "editor"
    }
  ]
}

Documentation Index

​Authentication flow

​Required headers

​Roles

​Dev authentication bypass

​Example: get current user

Authentication flow

Required headers

Roles

Dev authentication bypass

Example: get current user