API keys

Send the key as a Bearer token (this is not only for JWTs — the BFF accepts configured API keys the same way): 
Authorization: Bearer dev-internal-api-key
Use keys issued for your integration. Development defaults are listed in the main repository README (do not use in production).

OAuth2 client credentials

1

Request a token

POST /v1/oauth/token with Content-Type: application/x-www-form-urlencoded and body:grant_type=client_credentials&client_id=...&client_secret=...
2

Call the API

Authorization: Bearer <access_token> on /v1/* routes (except /v1/oauth/token and public OpenAPI/health as documented).

Registry and scopes

Each client has a machine identity in the registry with:
  • allowedEntities — e.g. products, categories, destinations, …
  • allowedChannelIds — content channel ids from the upstream CMS, or * for internal clients.
Calls to an entity return 403 if that entity is not allowed for the client.

Brand / tenant defaults

For routes that call the upstream CMS with tenant routing, pass brand (query) or set CONTENT_DEFAULT_CHANNEL_DOMAIN on the server. Resolve valid values via GET /v1/distribution-channels. See Sandbox for environment variables.