Skip to main content
The PlaneConnection API supports multiple authentication methods depending on your use case. All authenticated endpoints return 401 Unauthorized if no valid credentials are provided.

Authentication Methods

Public Endpoints

The following endpoints do not require authentication:
EndpointDescription
GET /healthLiveness probe
GET /readinessDeep readiness probe
GET /API documentation (Scalar)
GET /llms.txtLLM-optimized docs
POST /api/webhooks/resendResend email webhooks (signature-verified)
POST /api/webhooks/stripeStripe payment webhooks (signature-verified)
POST /api/webhooks/stripe-connectStripe Connect webhooks (signature-verified)
GET /api/v1/aviation/*Public FAA data
POST /api/v1/signup/*Self-service signup
GET /api/v1/utils/*Utility endpoints (QR codes)
POST /api/v1/sms/public/*Anonymous safety report submission

Role-Based Access Control (RBAC)

After authentication, the API enforces role-based access control. The authenticated user’s role determines which endpoints and actions they can access.

Role Hierarchy

Roles are organized in a hierarchy where higher-level roles have more privileges. Some endpoints require a minimum role level.
LevelRoles
8platform_admin
7system_administrator, super_admin
6admin, director_of_operations, accountable_executive
5safety_manager, chief_pilot, director_of_maintenance, manager, sole_proprietor
4investigator, dispatcher, staff
3pilot, mechanic, cabin_crew
2owner, auditor, inspector
1customer, external_reporter, fbo_customer

Role Guards

The API enforces role-based access on every request:
  • Unauthenticated requests receive 401.
  • Authenticated users whose role is below the minimum required level receive 403.
For example, AI email endpoints require the staff role (level 4+), while webhook management requires admin (level 6+).

Auth Context

Once authenticated, route handlers receive an auth context object with these fields:
FieldTypeDescription
userIdstringUnique user identifier
workspaceIdstringCurrent workspace/tenant ID
rolestringUser’s role in the current workspace
isAdminbooleanWhether the user has admin privileges
emailstringUser’s email address

Token Verification

1
Obtain a session token
2
Obtain a session token from the authentication SDK in your frontend application.
3
Include the token in your request
4
Pass the token as a Bearer token in the Authorization header:
5
curl -X GET https://api.planeconnection.com/api/v1/safety/reports \
  -H "Authorization: Bearer $TOKEN" \
  -H "X-Tenant-Id: workspace_abc123"
6
Handle token expiration
7
Session tokens are short-lived. If the API returns 401, refresh the token using the authentication SDK and retry the request.

Error Responses

StatusCodeDescription
401UNAUTHORIZEDMissing or invalid credentials
403FORBIDDENAuthenticated but insufficient permissions
429TOO_MANY_REQUESTSRate limit exceeded on auth endpoints
{
  "error": "Authentication required",
  "code": "UNAUTHORIZED",
  "requestId": "req_a1b2c3d4"
}
Last modified on April 11, 2026