Skip to main content
TrueParser separates human dashboard access from machine access used by tenant apps.

Authentication Model

There are two main authentication paths:
  1. dashboard sign-in for tenant users
  2. machine-to-machine token issuance for tenant apps

1. Dashboard Sign-In

The dashboard is used to manage tenants, apps, plans, and billing.
  • URL: https://dashboard.trueparser.com
  • Users: tenant users
  • Current host setup: Google authentication is configured in the host
This is the management side of the control plane.

2. Machine Access For Tenant Apps

Backend services authenticate by exchanging app credentials for an access token.
  • Token endpoint: https://admin-api.trueparser.com/connect/token
  • Identity: tenant application
  • Credentials: client_id and client_secret
  • Flow: OAuth 2.0 client_credentials

Requesting A Token

curl -X POST https://admin-api.trueparser.com/connect/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials" \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "client_secret=YOUR_CLIENT_SECRET" \
  -d "scope=TrueParser.API"

Access Token Lifetime

The access token lifetime is configured to 15 minutes.
A 15-minute access token should not be a bottleneck for M2M clients if your backend caches the token and renews it close to expiry. The usual anti-pattern is requesting a new token for every API call.

Token Claims

For tenant apps, the access token is enriched with claims from tenant and app metadata. Common claims include:
  • sub
  • tenantid
  • appId
  • licenseRegionCode
  • dbCode
  • allowed_domain_1, allowed_domain_2, allowed_domain_3
  • limits (expressed in Document Units)
Example: 
{
  "iss": "https://admin-api.trueparser.com",
  "sub": "your_client_id",
  "tenantid": "3f9a6c6e-...",
  "appId": "7b1c0d8c-...",
  "licenseRegionCode": "aws-us-east-1",
  "dbCode": "region-db-code",
  "allowed_domain_1": "localhost:3000",
  "limits": {
    "maxDocumentUnitsPerMonth": 1000,
    "maxDocumentUnitsPerWeek": 500,
    "maxDocumentUnitsPerDay": 250,
    "maxDocumentUnitsPerHour": 100,
    "maxApiRequestsPerMinute": 10,
    "advancedExtraction": false,
    "allowedFormats": ["sql", "eml", "msg"]
  }
}

What Is Required For Token Issuance

For tenant apps, token issuance depends on app and tenant state.
  • the app must exist
  • the app must be enabled
  • the tenant must be active
  • the app must have a license region
  • the app must have a stamped database code

Plan Impact On Tokens

Plan assignment affects the limits claim.
  • no plan assigned: token issuance can still succeed, but limits is omitted
  • usable plan assigned: token includes limits
  • retired plan assigned: token issuance is blocked
Last modified on April 1, 2026