QEHSapi
Authenticating to the API
Every request to the GraphQL API is authenticated either by your logged-in session (in the browser) or by a Bearer token. Create and scope tokens on the API keys page.
5 min read · 3 sections
Two ways to authenticate
- Browser / same-origin: when you are signed in, the in-app console at /settings/graphql uses your session cookie automatically — no token needed.
- Programmatic: send an `Authorization: Bearer <token>` header. The request is scoped to the token’s tenant and inherits its permissions.
Token types
| Prefix | Type | Acts as | Create at |
|---|---|---|---|
| qehs_… | Tenant API key | the tenant (no specific user) | /settings/api-keys |
| qehs_… | Personal access token (PAT) | the issuing user | /settings/api-keys |
| sa_… | Service account | a non-interactive integration with explicit scopes | /settings/api-keys |
A token is shown in full exactly once, at creation. Store it in your secret manager immediately — it cannot be retrieved again, only revoked and re-issued.
Example request
curl -X POST https://app.qehsethos.com/api/graphql \
-H "Authorization: Bearer qehs_<your-api-key>" \
-H "Content-Type: application/json" \
-d '{"query": "{ me { email } activeTenant { role tenant { name } } }"}'