Skip to main content
Every request must include Authorization: Bearer <token>.

Login

POST /api/v1/auth/login
{"email":"user@example.com","password":"yourpassword"}
Response:
{"data":{"accessToken":"eyJ...","refreshToken":"eyJ...","expiresIn":3600}}

Refresh a token

POST /api/v1/auth/refresh
{"refreshToken":"eyJ..."}

Required headers

HeaderRequiredDescription
AuthorizationAlwaysBearer <token>
X-Organization-IDMost endpointsUUID of your organization

Security best practices

Store access tokens in memory, not localStorage
Store refresh tokens in httpOnly secure cookies
Use HTTPS everywhere
Revoke tokens on logout