JONGAOCR
API Docs

Authentication

Jonga OCR has two distinct authentication paths. Humans sign in to the dashboard at /sign-in using Google or email/password (handled by Clerk) to manage their API tokens. Machines (your backend, mobile app, or scripts) call the OCR endpoints with a Bearer token created from that dashboard. All /api/v1/ocr/* endpoints require a valid API token passed in the Authorization header.

Token Format

API tokens use a jonga_ prefix followed by 32 alphanumeric characters (base62). Tokens are SHA-256 hashed before storage — the plaintext token is shown only once at creation time.

Token Formattext
jonga_aBcDeFgHiJkLmNoPqRsTuVwXyZ012345
Prefix jonga_ + 32 base62 characters (a-z, A-Z, 0-9)

Creating a Token

Tokens are created from the dashboard, not via a public API endpoint. Sign in at /sign-in, then go to /dashboard/tokens and click Create Token. Give it a project name, choose scopes, and (optionally) set an expiry. The plaintext token is shown only once on the confirmation modal — copy it immediately, because the server stores only a SHA-256 hash and the value cannot be retrieved again.

The plaintext token is only displayed at creation time. Store it in a secrets manager or environment variable before closing the dialog.

Using a Token

Include your token in the Authorization header on every API request using the Bearer scheme.

Authenticated Requestbash
curl -X POST https://your-domain.vercel.app/api/v1/ocr/sa-id-smart-front \
  -H "Authorization: Bearer jonga_YOUR_TOKEN" \
  -F "image=@./id-front.jpg"

Scopes

Tokens can be restricted to specific document types using scopes. A token will be denied access to any endpoint not covered by its scopes.

Available Scopes

*Full access to all document types
sa-id-smart-frontSA Smart ID Card — front side
sa-id-smart-backSA Smart ID Card — back side
sa-id-greenbookSA Green Book ID — biographical page
passportInternational Passport — any country (ICAO Doc 9303)
sa-drivers-frontSA Driver's License — front side
sa-drivers-backSA Driver's License — back side

When creating a token from /dashboard/tokens, select only the scopes you need. For example, an ID verification flow that only reads SA Smart IDs should be limited to sa-id-smart-front and sa-id-smart-back — not *.

Token Info

Retrieve metadata about your token using the GET /api/v1/tokens/me endpoint. This is useful for checking scopes, expiry, and usage statistics.

Requestbash
curl https://your-domain.vercel.app/api/v1/tokens/me \
  -H "Authorization: Bearer jonga_YOUR_TOKEN"
Responsejson
{
  "success": true,
  "tokenPrefix": "jonga_aBcD",
  "projectName": "My App",
  "scopes": ["*"],
  "isActive": true,
  "expiresAt": "2027-01-01T00:00:00Z",
  "createdAt": "2026-04-05T10:00:00Z",
  "lastUsedAt": "2026-04-05T14:32:00Z",
  "requestCount": 142
}

Security Best Practices

1

Tokens are shown once

The plaintext token is only returned at creation time. It cannot be retrieved later.

2

SHA-256 hashed storage

Tokens are hashed with SHA-256 before being stored in the database. Even a database breach will not reveal token values.

3

Store securely

Use environment variables or a secrets manager. Never commit tokens to version control or expose them in client-side code.

4

Rotate regularly

Create new tokens and revoke old ones periodically. Use the expiresAt field to enforce automatic expiration.

5

Use scoped tokens

Restrict tokens to only the document types they need. Follow the principle of least privilege.