Authentication

Overview

All API endpoints require authentication. Adva uses Bearer token authentication — you include a token in the Authorization header of every request.

Your token identifies who you are and which business you’re accessing. All API requests are automatically scoped to a single business, so you only see and modify data for the business associated with your token.

Getting a Token

Sign in to Adva to obtain an access token. The token is returned as part of the sign-in response and can be used immediately for API requests.

curl -X POST https://api.getadva.ai/auth/v1/token?grant_type=password \
  -H "Content-Type: application/json" \
  -d '{
    "email": "user@example.com",
    "password": "your-password"
  }'

The response includes an access_token field — this is your Bearer token.

Making Authenticated Requests

Include the token in the Authorization header:

curl -X GET https://api.getadva.ai/api/v1/core/customers \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

JavaScript Example

const response = await fetch("https://api.getadva.ai/api/v1/core/customers", {
  headers: {
    Authorization: `Bearer ${token}`,
    "Content-Type": "application/json",
  },
});

const data = await response.json();

Business Scoping

Every API request is scoped to a single business. This means:

You can only access data belonging to your active business
All write operations automatically associate records with your business
There is no way to query across businesses in a single request

If you have access to multiple businesses, the active business is determined by your token. To switch businesses, obtain a new token for the target business.

Token Expiration

Tokens expire after a set period. When a token expires, API requests return a 401 Unauthorized response. Obtain a fresh token by signing in again or using a refresh token.

Error Responses

Status	Meaning
`401`	No token provided or token is invalid
`403`	Valid token but insufficient access