Skip to content
PIE V2 API

Authentication

Protected PIE V2 endpoints require a Cognito-issued JWT in the Authorization header.

Authorization: Bearer <access_token>

The API does not issue tokens. Your application obtains a token from AWS Cognito using the flow configured for your integration.

Token sources

Section titled “Token sources”

Machine clients

Section titled “Machine clients”

Server-to-server integrations normally use the Cognito client credentials grant. The token includes a space-separated scope claim. Each streamline/... scope maps to one or more PIE operation permissions.

Terminal window
curl -s -X POST "https://<your-cognito-domain>/oauth2/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials" \
  -d "client_id=<app-client-id>" \
  -d "client_secret=<app-client-secret>" \
  -d "scope=streamline/read_models streamline/run_inference"

Machine tokens also carry a Cognito client_id claim. For tenant-scoped routes, that claim must match the {client_id} path segment unless the token grants administrator access.

Human users

Section titled “Human users”

Human users authenticate with their Cognito username and password using the user-pool app client. PIE does not receive the password; it only receives the access token returned by Cognito.

Human access tokens include cognito:groups. The admin group grants full operation access and access to all registry clients.

Non-admin users must belong to a tenant group named client:{registry_client_id} to call routes under /v2/clients/{registry_client_id}/....

Two authorization checks

Section titled “Two authorization checks”

Every protected request is checked on two axes:

  1. Operation permission: Whether the token may perform the action, such as reading models, managing domains, initializing services, or running inference.
  2. Registry client access: Whether the token may use the client_id in the path for tenant-scoped routes.

Missing or invalid tokens return 401. Valid tokens without the required permission or tenant access return 403.

Common scopes

Section titled “Common scopes”

Request the smallest scope set your integration needs.

ScopeTypical use
streamline/read_modelsRead model definitions, versions, and jobs.
streamline/write_modelsCreate or update models and versions.
streamline/train_modelStart model training jobs.
streamline/run_inferenceStart inference through direct model routes or assignments.
streamline/client_readRead tenant, domain, and service state.
streamline/service_initInitialize services.
streamline/manage_domainsCreate domains, features, services, and assignments.
streamline/complete_jobReport handler job completion.
streamline/adminFull operation access.

Public routes

Section titled “Public routes”

GET /v2/health is public. All other useful API routes should be treated as protected.