Overview
The BR-ACC API uses JWT (JSON Web Token) authentication with HTTP-only cookies for secure session management. Authentication is required for most API endpoints.Authentication Flow
- Register a new user account with an email and password (requires invite code if configured)
- Login with credentials to receive a JWT access token
- Include the token in requests via Bearer Authorization header or cookie
- Logout to invalidate the session cookie
Registration
Create a new user account.Endpoint
Request Body
User’s email address. Maximum 254 characters.
User’s password. Must be between 8 and 128 characters.
Invitation code (required if
INVITE_CODE environment variable is configured on the server).Example Request
Response
Unique user identifier (UUID).
User’s email address.
ISO 8601 timestamp of when the user was created.
Error Responses
403 Forbidden - Invalid invite code:Login
Authenticate with credentials to receive a JWT access token.Endpoint
Request Body
The login endpoint uses OAuth2 password flow format (application/x-www-form-urlencoded):
User’s email address (OAuth2 convention uses “username” field).
User’s password.
Example Request
Response
JWT access token for authenticating subsequent requests.
Token type (always “bearer”).
Session Cookie
On successful login, the API sets an HTTP-only cookie namedbracc_session (configurable via AUTH_COOKIE_NAME) with the following attributes:
- Max-Age: 1440 minutes (24 hours) by default (configurable via
JWT_EXPIRE_MINUTES) - HttpOnly:
true(prevents JavaScript access) - Secure:
truein production (requires HTTPS) - SameSite:
lax(configurable:lax,strict,none) - Path:
/
Error Response
401 Unauthorized - Invalid credentials:Using the Access Token
Include the JWT token in subsequent requests using one of these methods:Method 1: Authorization Header (Recommended)
Method 2: Session Cookie
If your client supports cookies, the session cookie is automatically included:Get Current User
Retrieve information about the currently authenticated user.Endpoint
Example Request
Response
User’s unique identifier.
User’s email address.
ISO 8601 timestamp of when the user was created.
Logout
Invalidate the current session by deleting the session cookie.Endpoint
Example Request
bracc_session cookie is deleted.
JWT Token Structure
The JWT token contains the following payload:Subject (user ID).
Expiration time (Unix timestamp).
Token Configuration
JWT tokens are configured with:- Algorithm: HS256 (HMAC with SHA-256)
- Expiration: 1440 minutes (24 hours) by default
- Secret Key: Configured via
JWT_SECRET_KEYenvironment variable (must be >= 32 characters in production)
Security Considerations
Password Requirements
- Minimum length: 8 characters
- Maximum length: 128 characters
- Passwords are hashed using bcrypt before storage
JWT Secret Key
In production environments, you must set a strong JWT secret key:Rate Limiting for Authentication
Authentication endpoints are strictly rate-limited to 10 requests per minute to prevent brute-force attacks.Invite Codes
If your deployment requires controlled registration, set theINVITE_CODE environment variable:
invite_code in the request body.
Environment Variables
Secret key for signing JWT tokens. Must be >= 32 characters in production.
Algorithm for JWT signing (only HS256 is supported).
JWT token expiration time in minutes (default: 24 hours).
Required invite code for registration (empty = no invite code required).
Name of the session cookie.
Whether to set the Secure flag on session cookies (automatically true in production).
SameSite attribute for session cookies (lax, strict, or none).
Next Steps
Search Entities
Search for entities using your access token
Entity Details
Retrieve detailed entity information