The MTB Backend API uses JWT (JSON Web Token) authentication powered by Strapi’s @strapi/plugin-users-permissions plugin. This guide covers user registration, login, and how to use JWT tokens in your API requests.
Authentication Flow
Register a new user
Create a new user account by providing username, email, and password
Login to get JWT token
Authenticate with your credentials to receive a JWT token
Use token in requests
Include the JWT token in the Authorization header for protected endpoints
Register a New User Create a new user account by sending a POST request to the /api/auth/local/register endpoint.
Request Unique username for the new user
Valid email address for the user
Password for the user account (minimum 6 characters)
Example Request curl -X POST http://localhost:1337/api/auth/local/register \ -H "Content-Type: application/json" \ -d '{ "username": "johndoe", "email": "[email protected] ", "password": "SecurePass123!" }'
Response JWT token for authentication
User information object Authentication provider (default: “local”)
Whether the user email is confirmed
Whether the user account is blocked
Account creation timestamp
{ "jwt" : "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwiaWF0IjoxNjMzMDI0MjAwLCJleHAiOjE2MzU2MTYyMDB9.K0HS7xKH0ZdXKJJh6gZCqZhVXjHqGq6x2r4M8qE5u8Y" , "user" : { "id" : 1 , "username" : "johndoe" , "email" : "[email protected] " , "provider" : "local" , "confirmed" : false , "blocked" : false , "createdAt" : "2026-03-04T10:30:00.000Z" , "updatedAt" : "2026-03-04T10:30:00.000Z" } }
Login Authenticate with existing credentials to receive a JWT token.
Request Username or email address
Example Request curl -X POST http://localhost:1337/api/auth/local \ -H "Content-Type: application/json" \ -d '{ "identifier": "[email protected] ", "password": "SecurePass123!" }'
Response The response structure is identical to the registration response, containing the JWT token and user information.
{ "jwt" : "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwiaWF0IjoxNjMzMDI0MjAwLCJleHAiOjE2MzU2MTYyMDB9.K0HS7xKH0ZdXKJJh6gZCqZhVXjHqGq6x2r4M8qE5u8Y" , "user" : { "id" : 1 , "username" : "johndoe" , "email" : "[email protected] " , "provider" : "local" , "confirmed" : false , "blocked" : false , "createdAt" : "2026-03-04T10:30:00.000Z" , "updatedAt" : "2026-03-04T10:30:00.000Z" } }
Using JWT Tokens in Requests Once you have a JWT token, include it in the Authorization header of your requests to access protected endpoints.
Authorization: Bearer YOUR_JWT_TOKEN
Example Authenticated Request curl -X GET http://localhost:1337/api/users/me \ -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
Get Current User Retrieve the authenticated user’s information using the /api/users/me endpoint.
Example Request curl -X GET http://localhost:1337/api/users/me \ -H "Authorization: Bearer YOUR_JWT_TOKEN"
Response { "id" : 1 , "username" : "johndoe" , "email" : "[email protected] " , "provider" : "local" , "confirmed" : false , "blocked" : false , "createdAt" : "2026-03-04T10:30:00.000Z" , "updatedAt" : "2026-03-04T10:30:00.000Z" }
Password Reset Request a password reset email for a user account.
Request Password Reset curl -X POST http://localhost:1337/api/auth/forgot-password \ -H "Content-Type: application/json" \ -d '{ "email": "[email protected] " }'
Reset Password with Code After receiving the reset code via email, use it to set a new password:
curl -X POST http://localhost:1337/api/auth/reset-password \ -H "Content-Type: application/json" \ -d '{ "code": "RESET_CODE_FROM_EMAIL", "password": "NewSecurePass123!", "passwordConfirmation": "NewSecurePass123!" }'
Error Responses Authentication endpoints may return the following error responses:
400 Bad Request { "error" : { "status" : 400 , "name" : "ValidationError" , "message" : "Email or Username are already taken" , "details" : {} } }
401 Unauthorized { "error" : { "status" : 401 , "name" : "UnauthorizedError" , "message" : "Invalid identifier or password" , "details" : {} } }
403 Forbidden { "error" : { "status" : 403 , "name" : "ForbiddenError" , "message" : "Your account has been blocked by an administrator" , "details" : {} } }
Best Practices Security Considerations
Always use HTTPS in production to protect JWT tokens in transit
Store JWT tokens securely (e.g., httpOnly cookies, secure storage)
Never expose tokens in URLs or logs
Implement token refresh mechanisms for long-lived sessions
Set appropriate token expiration times
Token Storage
Web Applications : Use httpOnly cookies or secure browser storage (localStorage with proper XSS protection)Mobile Applications : Use secure storage mechanisms (iOS Keychain, Android Keystore)Server-to-Server : Use environment variables or secure secret management systems
Token Expiration JWT tokens issued by Strapi have a default expiration time. When a token expires, users must re-authenticate by calling the login endpoint again.
To check if a token is expired, you’ll receive a 401 Unauthorized response:
{ "error" : { "status" : 401 , "name" : "UnauthorizedError" , "message" : "Invalid token: Token expired" , "details" : {} } }
Next Steps
API Endpoints Explore available API endpoints
Quickstart Get started with the MTB Backend API
