Authentication

The API uses Bearer token authentication via signed JWTs. Session-based auth is available for first-party SPAs.

Obtaining a Token

POST /api/v1/auth/login
Content-Type: application/json

{
  "email": "user@example.com",
  "password": "secret"
}

Response:

{
  "success": true,
  "data": {
    "token": "eyJ0eXAiOiJKV1QiLCJhbGci...",
    "expires_at": "2026-06-18T00:00:00Z",
    "token_type": "Bearer"
  }
}

Using the Token

Pass the token in the Authorization header on every subsequent request:

GET /api/v1/users/me
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGci...

Refreshing Tokens

POST /api/v1/auth/refresh
Authorization: Bearer <current_token>

Revoking Tokens

POST /api/v1/auth/logout
Authorization: Bearer <token>

⚠ Token Expiry Tokens expire after 24 hours by default. Configure JWT_TTL in your .env file (value in minutes).