Authentication
Theatrical supports two authentication contexts. Most applications use both: an operator API key for transactional API calls, and loyalty member authentication for member-contextual calls (points balance, personal order history, subscription status).
Token-based auth (GAS)
The Global Authentication Service issues JWT operator tokens. These are short-lived and are automatically managed by the SDK’s TokenManager — your application code never handles token rotation.
Configuration
import { TheatricalClient } from '@theatrical/sdk';
const client = TheatricalClient.create({ apiKey: process.env.THEATRICAL_API_KEY!, // Your operator API key environment: 'production', // 'sandbox' (default) | 'staging' | 'production'});The apiKey is exchanged for a bearer token on first request. Subsequent requests reuse the cached token until five minutes before expiry, at which point the SDK proactively refreshes it. Concurrent requests during a refresh share a single token request — no thundering herd.
Environment variables
THEATRICAL_API_KEY=op_live_xxxxxxxxxxToken lifecycle
First request │ ▼GAS token request (apiKey) │ ▼Bearer token cached in memory (TokenManager) │ ▼ repeated for all requestsHTTP calls with Authorization: Bearer <token> │ ▼ 5 minutes before expiryProactive token refresh (deduplicated) │ ▼ on 401 responseToken invalidation + one immediate retryLoyalty member authentication
Member-contextual endpoints take an explicit member ID. A member proves who they are once via loyalty.authenticate; your application then stores the member ID in its own session and passes it to subsequent calls.
// After the member submits your login formconst member = await client.loyalty.authenticate(email, password);
// Store the member ID in your own sessionreq.session.memberId = member.id;// In an API route or server componentconst member = await client.loyalty.getMember(req.session.memberId);const balance = await client.loyalty.getPointsBalance(member.id);
console.log(`${member.firstName}: ${balance.points} points`);Verifying your setup
import { AuthenticationError } from '@theatrical/sdk';
try { const sites = await client.sites.list(); console.log(`Auth OK — ${sites.length} sites accessible`);} catch (err) { if (err instanceof AuthenticationError) { console.error('Auth failed:', err.message); }}Next steps
- Error handling — how
AuthenticationErrorandRateLimitErrorsurface - Quickstart — make your first authenticated API call