Skip to main content
Planned feature: The authentication flow described here represents the intended JWT authentication design. This is not yet implemented in the current codebase.

Overview

The planned OrgStack API will use JSON Web Tokens (JWT) for authentication. To access protected endpoints, you will need to include a valid JWT token in the Authorization header of your requests.
JWT tokens have an expiration time. When your token expires, you’ll need to obtain a new one by logging in again.

Authentication flow

Follow these steps to authenticate and make authorized API requests:
1

Obtain credentials

Ensure you have valid user credentials (username/email and password) for the OrgStack system.
2

Request a token

Send a POST request to the /api/auth/login endpoint with your credentials.
3

Store the token

Save the JWT token returned in the response securely in your application.
4

Use the token

Include the token in the Authorization header as a Bearer token for all subsequent requests.

Obtaining a JWT token

To obtain a JWT token, send a POST request to the login endpoint with your credentials.

Endpoint

POST /api/auth/login

Request body

FieldTypeRequiredDescription
usernamestringYesYour username or email address
passwordstringYesYour account password

Example request

curl -X POST http://localhost:8080/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "username": "[email protected]",
    "password": "securepassword"
  }'

Success response

Status Code: 200 OK 
{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c",
  "userId": "123e4567-e89b-12d3-a456-426614174000",
  "username": "[email protected]",
  "expiresIn": 86400
}
FieldTypeDescription
tokenstringThe JWT token to use for authentication
userIdstringThe unique identifier of the authenticated user
usernamestringThe username of the authenticated user
expiresInintegerToken expiration time in seconds

Error responses

Status Code: 401 Unauthorized 
{
  "error": "Unauthorized",
  "message": "Invalid username or password",
  "timestamp": "2026-03-01T10:30:00Z"
}
Status Code: 400 Bad Request 
{
  "error": "Bad Request",
  "message": "Username and password are required",
  "timestamp": "2026-03-01T10:30:00Z"
}
Never share your JWT token or include it in client-side code that could be publicly accessible. Treat tokens like passwords.

Using JWT tokens

Once you have a JWT token, include it in the Authorization header of your requests using the Bearer authentication scheme.

Header format

Authorization: Bearer YOUR_JWT_TOKEN

Example authenticated request

curl -X GET http://localhost:8080/api/organizations \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

Token expiration

JWT tokens expire after a set period (typically 24 hours). When your token expires, API requests will return a 401 Unauthorized response.

Handling expired tokens

When you receive a 401 error due to an expired token:
  1. Request a new token by calling /api/auth/login again
  2. Update your stored token with the new one
  3. Retry the failed request with the new token
Implement automatic token refresh logic in your application to handle expiration gracefully without requiring user intervention.

Security best practices

Follow these security best practices when working with JWT tokens:
1

Use HTTPS in production

Always use HTTPS to encrypt tokens in transit. The localhost URL shown in examples is for development only.
2

Store tokens securely

Store tokens in secure storage mechanisms appropriate for your platform (e.g., encrypted storage, secure cookies, environment variables).
3

Don't expose tokens

Never log tokens, commit them to version control, or expose them in client-side code.
4

Implement token refresh

Build automatic token refresh logic to handle expiration without user disruption.
5

Handle logout

Clear stored tokens when users log out to prevent unauthorized access.

Common authentication errors

Status CodeErrorSolution
401Invalid username or passwordVerify your credentials are correct
401Invalid or expired tokenRequest a new token by logging in again
401Missing authorization headerInclude the Authorization header with your token
403Insufficient permissionsYour account lacks permission for this operation
If you receive multiple 401 errors with valid credentials, your account may be locked or disabled. Contact your administrator.

Next steps

Now that you understand authentication, you can:
  • Explore available API endpoints in the documentation
  • Build your integration using authenticated requests
  • Implement error handling for authentication failures

Build docs developers (and LLMs) love

Get started for freeTalk to us