Authentication

Valora Cloud supports two authentication models:

• JWT Bearer tokens for user-context access.
• API Keys for server-to-server integrations.

JWT authentication

• 401 Unauthorized: token expired, malformed, or invalid signature.
• 403 Forbidden: token is valid but lacks permissions.
• If a user can sign in but cannot access a module, validate role mapping.

API Key authentication

• Confirm the key belongs to the right environment.
• Confirm the secret has not been rotated.
• Request the X-Request-Id for backend tracing when available.