Skip to main content

Overview

GZCTF supports multiple authentication methods for API access:
  1. Session-based authentication - Cookie-based sessions for web applications
  2. API tokens - Bearer tokens for programmatic access (Admin only)

Session Authentication

Login

Authenticate using username/email and password to establish a session. 
curl -X POST https://your-instance.com/api/account/login \
  -H "Content-Type: application/json" \
  -d '{
    "userName": "[email protected]",
    "password": "encrypted_password"
  }'

Endpoint: POST /api/account/login

userName
string
required
Username or email address
password
string
required
User password (may require encryption based on platform settings)
status
integer
HTTP status code: 200 for success, 401 for invalid credentials

Logout

Terminate the current session.

Endpoint: POST /api/account/logout

Requires authentication. This endpoint will clear the session cookie.
curl -X POST https://your-instance.com/api/account/logout \
  -H "Cookie: .AspNetCore.Identity.Application=..."

API Tokens

API tokens provide a secure way for administrators to access the API programmatically without session cookies.

Generate Token

Create a new API token with optional expiration.

Endpoint: POST /api/tokens

Requires Admin permission. Tokens are shown only once upon creation.
name
string
required
Descriptive name for the token
expiresIn
integer
Number of days until token expiration (optional, 0 = no expiration)
{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "name": "CI/CD Pipeline Token",
  "createdAt": "2026-03-01T12:00:00Z",
  "expiresAt": "2026-04-01T12:00:00Z",
  "creatorId": "user-guid"
}

List Tokens

Retrieve all API tokens.

Endpoint: GET /api/tokens

Requires Admin permission.
[
  {
    "id": "token-guid-1",
    "name": "Production API",
    "createdAt": "2026-01-15T08:00:00Z",
    "expiresAt": null,
    "revokedAt": null,
    "lastUsedAt": "2026-03-01T10:30:00Z"
  },
  {
    "id": "token-guid-2",
    "name": "Testing Token",
    "createdAt": "2026-02-20T14:00:00Z",
    "expiresAt": "2026-03-20T14:00:00Z",
    "revokedAt": null
  }
]

Revoke Token

Revoke or delete an API token.

Endpoint: DELETE /api/tokens/

id
string
required
Token UUID
delete
boolean
default:"false"
If true, permanently delete the token instead of just revoking it

Restore Token

Restore a previously revoked token.

Endpoint: POST /api/tokens//restore

id
string
required
Token UUID

Using API Tokens

Include the token in the Authorization header: 
curl -X GET https://your-instance.com/api/admin/users \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

Permission Levels

GZCTF uses role-based access control:
RoleDescription
UserStandard user with access to games and teams
MonitorCan view game events, submissions, and captures
AdminFull administrative access
BannedNo access (authentication fails)

Authorization Attributes

Endpoints are protected by middleware attributes:
  • [RequireUser] - Requires authenticated user
  • [RequireMonitor] - Requires Monitor or Admin role
  • [RequireAdmin] - Requires Admin role

Security Best Practices

Never expose API tokens in client-side code or public repositories. Use environment variables or secure vaults.
When the platform has ApiEncryption enabled, passwords must be encrypted client-side before transmission. Check /api/admin/config for the current setting.
Registration and login endpoints may require captcha verification when UseCaptcha is enabled in account policies.
Sessions are managed through cookies (AspNetCore.Identity.Application). Ensure your HTTP client supports cookies for session-based authentication.

Next Steps

Account API

User registration and profile management

Admin API

Administrative endpoints

Build docs developers (and LLMs) love

Get started for freeTalk to us