# Insight API Security
Insight API is a set of stateless REST endpoints that offer different functionalities from the Insight application. Each module composing the API supports common features, such as the authentication and authorization methods.
# Authentication
The Insight API requires authenticated access through Insight. These endpoints are stateless and support the following authentication methods:
- mrf-secret-key
- JWT (JSON Web Token)
# mrf-secret-key
mrf-secret-key is a secret generated through the Insight UI (User profile view).
This secret is a permanent token, generated with the same permissions as the user who created it.
Although it is permanent, a user can change it from the same profile view.
To send an authenticated request, you must send this secret as a request header:
- Header name:
mrf-secret-key - Header value:
my-secret-key-value
# JWT
A more secure method than the mrf-secret key, since it has the following characteristics:
- Not permanent: 10 days expiration time
- Stateless: JWT is a self-contained token that has authentication information and expiring time information.
- Cryptographically signed
Make a POST request to the following endpoint to generate a JWT token:
https://insight.marfeel.com/hub/jwt/token
An Authorization response header returns the JWT token.
Once the token is received, you can make any API request passing this token as an Authorization request header:
- Header name:
Authorization - Header value: Bearer token-value
# Authorization
The authorization mechanism uses access control lists (ACL). You will only get data from which you have read access. You have access if you are a registered user of the tenant's Media Group on Insight.