Skip to main content
The Sutro API can be accessed by two main types of users:
  • Organization members: internal users who manage your Sutro environment.
  • Builders: end users or clients who build and run apps that integrate with Sutro.
All requests to the Sutro API are authenticated using JWTs (JSON Web Tokens). Builder requests also require mutual TLS (mTLS) for secure transmission.
If you’d like to know why we use both JWTs and mTLS, then checkout our security philosophy.

Organization members

Members are approved users within your organization who can access the Sutro Console. They can:
  • Review usage metrics and logs.
  • Manage accounts and permissions.
  • Configure certificates for verifying Builder requests.

Authentication flow

  1. Members log in via the Sutro Auth Server using their credentials.
    • Currently supports username/password authentication.
    • Future releases will include SSO and identity provider integration.
  2. Upon successful login, the Auth Server issues a JWT.
    • Include this token in the Authorization header of all API requests.

Builders

Builders are customers or third-party developers who use Sutro’s APIs within their own applications. They are managed by your organization, not Sutro directly.

Authentication flow

  1. Your system generates a JWT on behalf of the Builder.
  2. Sutro verifies the JWT using the public certificate you registered.
  3. The request must be sent over an mTLS-secured connection.
Requests without valid mTLS or an unverified JWT will be rejected.

Certificates for builders

To verify and secure Builder requests, you’ll need two certificates:
  • A verification certificate for JWT signature validation.
  • A client certificate for mTLS authentication.
You can either:
  • Provide your own X.509-compliant certificates, or
  • Use Sutro-generated certificates signed by Sutro’s private CA.
Sutro-generated certificates expire after 90 days. Auto-renewal support is coming soon.