Skip to main content

Overview

MinistryHub uses JWT (JSON Web Token) based authentication to secure API endpoints. All protected endpoints require a valid JWT token in the request headers.

Authentication Flow

  1. Login: Send credentials to the login endpoint
  2. Receive Token: Get a JWT access token with 1-hour expiration
  3. Include Token: Send the token in the Authorization header for all subsequent requests
  4. Token Expiration: Tokens expire after 3600 seconds (1 hour)

Login Endpoint

POST /api/auth/login

Authenticate a user and receive a JWT access token.
email
string
required
User’s email address
password
string
required
User’s password
recaptchaToken
string
required
Google reCAPTCHA v3 token for security verification (minimum score: 0.5)

Request Example

curl -X POST https://your-domain.com/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "password": "your-password",
    "recaptchaToken": "03AGdBq24..."
  }'

Response

success
boolean
Indicates if authentication was successful
access_token
string
JWT token to use for authenticated requests
expires_in
integer
Token expiration time in seconds (3600 = 1 hour)

Success Response Example

{
  "success": true,
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1aWQiOjEyMywiZW1haWwiOiJ1c2VyQGNodXJjaC5vcmciLCJpYXQiOjE3MDkxNjAwMDAsImV4cCI6MTcwOTE2MzYwMH0.signature",
  "expires_in": 3600
}

Error Responses

{
  "error": "El correo y la contraseña son obligatorios"
}

{
  "error": "Credenciales inválidas"
}

{
  "error": "Verificación de seguridad fallida"
}

Using the Access Token

Once authenticated, include the JWT token in the Authorization header of all API requests: 
curl https://your-domain.com/api/bootstrap \
  -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..."

Alternative Token Methods

For Server-Sent Events (SSE) or situations where headers cannot be set: 
# Query parameter
curl https://your-domain.com/api/endpoint?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...

Protected Endpoints

All endpoints except /api/auth/* require authentication. If a token is missing or invalid, you’ll receive: 
{
  "error": "Unauthorized"
}

Security Notes

  • Tokens expire after 1 hour
  • Store tokens securely (e.g., secure HTTP-only cookies, encrypted storage)
  • Never expose tokens in URLs (except for SSE/EventSource use cases)
  • reCAPTCHA v3 is required for login attempts
  • Password verification uses PHP’s password_verify() with bcrypt hashing

Next Steps

JWT Token Structure

Learn about JWT payload and token structure

API Reference

Explore available API endpoints

Build docs developers (and LLMs) love

Get started for freeTalk to us