API: Authentication

There are 4 ways to authenticate with the API:

1. Creating a session.

Posting authentication parameters in a body to POST /security. The request body should be JSON payload:

{"user":{"email":"user91@example.com","password":"iamsosecretyouwillforgetmewhenyoureadme"}}

The response, if successful, will be a JSON payload of the form:

{"meta":{"status":200,"message":"OK"},"data":{"auth_token":"xxxxxxxxxxxxxxxxxxxx","user_name":"reader","message":"Logged in successfully."}}

This process will:

The cookie's session expires after six hours.

The cookie issued from the create session step can be sent back on each request. This is typically done by the browser.

Send the cookie in the Cookie header.

Can be transmitted with the Authorization header in the format Authorization: Token token="xxxxxxxxxxxxxxxxxxxx"
Via the user_token query string parameter on any URL e.g GET /projects/1?user_token=xxxxxxxxxxxxxxxxxxxx
The current token can be retrieved from GET /security/user
Tokens are regularly refreshed (when a new session is created, or a session is deleted)

JWTs are not issued by the API, there is no exposed method for generating them.
JWTs are only currently issued for machine-to-machine service operations
JWTs must be transmitted in the Authorization header in the format Authorization: Bearer xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
JWTs emitted by our site will have the following claims:
- A sub subject claim identifying the user that is authenticated by this token
- A exp expiration claim that defaults to a 24-hour expiry
- A nbf not before claim that is not set by default
- An optional custom resource claim that restricts the token to a particular resource (like projects, sites, etc...)
- An optional custom action claim that restricts the token to a particular action (like show, index, create, etc...)

Note: both the resource and action claims are additional restrictions on access. They don't bypass any of the normal authorization rules.