Skip to Content
MySagra 1.4.0 is released 🎉
API ReferenceAuthentication

Authentication

The Auth endpoints handle user login, logout, and token refresh. MySagra uses JWT-based authentication with short-lived access tokens and long-lived refresh tokens stored as HTTP-only cookies.

Token Lifecycle

TokenStorageExpiry
Access TokenResponse body / Authorization header15 minutes
Refresh TokenHTTP-only cookie (refreshToken)7 days

POST /auth/login

Authenticate a user with username and password.

Authentication: None required

Request Body

{
  "username": "admin",
  "password": "password123"
}
FieldTypeRequiredDescription
usernamestringYesUser’s username
passwordstringYesUser’s password

Response 200 OK

The refresh token is automatically set as an HTTP-only cookie named refreshToken (expires in 7 days).

{
  "user": {
    "id": "clxyz123456789abcdef",
    "username": "admin",
    "role": "admin"
  },
  "accessToken": "eyJhbGciOiJIUzI1NiIs..."
}
FieldTypeDescription
user.idstringUser’s unique identifier (CUID)
user.usernamestringUser’s username
user.rolestringUser’s role name
accessTokenstringJWT access token (expires in 15 minutes)

Errors

StatusDescription
400Missing username or password
401Invalid password
404User not found

POST /auth/logout

Revoke a refresh token to log out from a specific session.

Authentication: Cookie (refreshToken)

The refresh token is automatically read from the refreshToken HTTP-only cookie.

Response 200 OK

Empty response — the refresh token has been revoked.

Errors

StatusDescription
400Missing or invalid refresh token
401Invalid or expired refresh token

POST /auth/refresh

Generate a new access token using the refresh token cookie.

Authentication: Cookie (refreshToken)

Response 200 OK

{
  "accessToken": "eyJhbGciOiJIUzI1NiIs..."
}
FieldTypeDescription
accessTokenstringNew JWT access token (expires in 15 minutes)

Errors

StatusDescription
400Refresh token missing
401Invalid or expired refresh token
Last updated on
OverviewUsers