Authentication

Authentication

Access Tokens

Temporary Token (JWT) are returned by the login endpoint/mutation. These tokens have a relatively short expiration time, and are thus the most secure option to use. The tokens are returned with a refresh_token that can be used to retrieve a new access token via the refresh endpoint/mutation.

Once you have your access token, there are two ways to pass it to the API, via the access_token query parameter, or in the request's Authorization Header.

Query Parameter

  1. ?access_token=<token>

Authorization Header

  1. Authorization: Bearer <token>

Login

Retrieve a temporary access token and refresh token.

Request Body

email Required
Email address of the user you're retrieving the access token for.

password Required
Password of the user.

otp
The user's one-time-password (if MFA is enabled).

mode
Whether to retrieve the refresh token in the JSON response, or in a httpOnly secure cookie. One of json, cookie. Defaults to json.

Response Attributes

access_token string
Temporary access token to be used in follow-up requests.

expires integer
How long before the access token will expire. Value is in milliseconds.

refresh_token string
The token that can be used to retrieve a new access token through /auth/refresh. Note: if you used cookie as the mode in the request, the refresh token won't be returned in the JSON.

Expiry time
The token's expiration time.

Example

  1. POST /auth/login
  1. {
  2. "email": "admin@example.com",
  3. "password": "Z1Tu5"
  4. }

Refresh

Retrieve a new access token using a refresh token.

Request Body

refresh_token
The refresh token to use. If you have the refresh token in a cookie through /auth/login, you don't have to submit it here.

mode
Whether to retrieve the refresh token in the JSON response, or in a httpOnly secure cookie. One of json, cookie.

Response Attributes

access_token string
Temporary access token to be used in follow-up requests.

expires integer
How long before the access token will expire. Value is in milliseconds.

refresh_token string
The token that can be used to retrieve a new access token through /auth/refresh. Note: if you used cookie as the mode in the request, the refresh token won't be returned in the JSON.

Example

  1. POST /auth/refresh
  1. {
  2. "refresh_token": "gmPd...8wuB",
  3. "mode": "json"
  4. }