Authentication
Every request must include a signed JWT in the Authorization header:
curl 'https://api.partners.thecareeros.com/v1/universities' \
-H "Authorization: Bearer $TOKEN"
Tokens are issued by CareerOS during onboarding and delivered out of band. There is no self-service token endpoint — if you need a new token or a rotation, contact support@thecareeros.com.
What’s inside the token
| Claim | Value |
|---|---|
iss | https://api.partners.thecareeros.com |
aud | careeros-partners-api |
role | api_partner |
partner_type | university or consortium |
partner_id | Your university / consortium UUID |
iat, exp | Issued-at / expiry — tokens are typically valid 1 year |
Tenancy — what your token can see
partner_type + partner_id together control the rows every resource returns:
partner_type | partner_id is… | What you see |
|---|---|---|
university | A single university UUID | Records belonging to that one university |
consortium | A consortium UUID | Records belonging to any member university — membership is resolved at request time, so consortium changes take effect immediately without re-issuing your token |
The tenant boundary is enforced inside the database, underneath the API layer. The API will never return another partner’s data, no matter what filters you put in the query string.
Handling rules
- Treat the token like an OAuth
client_secret: store it in a secret manager, never in code or a repository. - Use it server-side. If you paste a token into the interactive console on this site, it stays in your browser — but avoid doing that on shared machines, and prefer a short-lived test token if you have one.
- Rotate on suspicion of compromise: ask us for a new token and we’ll deprecate the old one.
- Expired token →
401with"message": "JWT expired". We email token holders ahead of expiry.