# Authentication

HEMS uses Bearer Token authentication. All API requests require a valid JSON Web Token (JWT).

## Organization Credentials

Upon registration, you will receive:

- **Organization ID**: A unique identifier for your entity.
- **Organization Secret**: A confidential key used to sign requests and acquire access tokens.


> **Warning:** Never share your Organization Secret in client-side code, public repositories, or with unauthorized personnel.


## Acquiring an Access Token

To interact with the HEMS API, you must first swap your credentials for a short-lived bearer token.

### Request

`POST /organization/auth/token`


```json
{
  "organizationId": "your_org_id",
  "secret": "your_org_secret"
}
```

### Response


```json
{
  "accessToken": "eyJh... (JWT)",
  "expiresIn": 3600,
  "scope": ["Devices", "Users"]
}
```

## Scopes

HEMS uses granular scopes to restrict access. Common scopes include:

- `Users`: Ability to list and manage user accounts.
- `Devices`: Access to monitor and control energy devices.


## Authentication Headers

All protected requests must include the `Authorization` header:


```http
Authorization: Bearer <your_access_token>
```