It used to retrieve an :term:`access token` to access protected items, renew :term:`access token` and remove permissions. The :term:`access token` is a Json Web Token (IETF). More info on :doc:`authentication </authentication>`
.. http:post:: /auth
Authenticate an user to obtain an :term:`access token`.
:reqjson string username: the username
:reqjson string password: the password
:reqjson string grant_type: `"password"`, the grant type to apply (password is the default, it can be ommitted)
:resheader Content-Type: application/json
:status 200: response contains :term:`access token` and :term:`refresh token`
:status 400: when required parameters are missing or the request is malformed
:status 401: when authentication fails
**Example request**:
.. sourcecode:: http
POST /auth HTTP/1.1
Host: example.com
Accept: application/json, text/javascript
Content-Type: application/json
{
"username": "test",
"password": "test",
"grant_type": "password"
}
**Example response**:
.. sourcecode:: http
HTTP/1.1 200 OK
Content-Type: application/json
{
"api": "auth",
"data": {
"access_token": "eyJ0eXAi.....",
"expires_in": 600,
"refresh_token": "51a3f718e7abc712e421f64ea497a323aea4e76f"
},
"method": "post",
"params": [ ],
"url": "https://example.com/api/auth"
}
.. note::
Once you received the access token you have to use it in every request
that requires authentication. It can be used in HTTP header
::
Authorization: Bearer <token>
or as query string ``/api/endpoint?access_token=<token>``
If the access token was expired you need to generate a new one started by refresh token. In this case do not pass the expired access token
.. http:post:: /auth
Renew an `access_token`.
:reqjson string refresh_token: the :term:`refresh token` to use to renew :term:`access token`
:reqjson string grant_type: `"refresh_token"`, the grant type to apply
:resheader Content-Type: application/json
:status 200: Success, it responds with the new :term:`access token` and :term:`refresh token`
:status 400: when required parameters are missing or the request is malformed
:status 401: when :term:`refresh token` is invalid
**Example request**:
.. sourcecode:: http
POST /auth HTTP/1.1
Host: example.com
Accept: application/json, text/javascript
Content-Type: application/json
{
"grant_type": "refresh_token",
"refresh_token": "51a3f718e7abc712e421f64ea497a323aea4e76f"
}
**Example response**:
.. sourcecode:: http
HTTP/1.1 200 OK
Content-Type: application/json
{
"api": "auth",
"data": {
"access_token": "rftJasd3.....",
"expires_in": 600,
"refresh_token": "51a3f718e7abc712e421f64ea497a323aea4e76f"
},
"method": "post",
"params": [ ],
"url": "https://example.com/api/auth"
}
.. http:get:: /auth
It returns the updated ``expires_in`` time for :term:`access token`
:reqheader Authorization: the :term:`access token` as Bearer token
:resheader Content-Type: application/json
:status 200: no error, payload contains the updated ``expires_in`` value
:status 400: the request is malformed
:status 401: the :term:`access token` is invalid
**Example request**:
.. sourcecode:: http
GET /auth HTTP/1.1
Host: example.com
Accept: application/json, text/javascript
**Example response**:
.. sourcecode:: http
HTTP/1.1 200 OK
Content-Type: application/json
{
"api": "auth",
"data": {
"access_token": "rftJasd3.....",
"expires_in": 48
},
"method": "get",
"params": [ ],
"url": "https://example.com/api/auth"
}
Revoking a :term:`refresh token`
In order to invalidate an :term:`access token` you need to remove it from client and revoke the :term:`refresh token`
.. http:delete:: /auth/(string:refresh_token)
Revoke a :term:`refresh token`
:reqheader Authorization: the :term:`access token` as Bearer token
:param string refresh_token: the :term:`refresh token` to revoke
:status 204: the refresh token was deleted
:status 400: the request is malformed
:status 401: the :term:`access token` is invalid or
:status 404: the :term:`refresh token` was already revoked or not exists