Skip to main content
The auth endpoints handle user authentication and token generation for accessing protected API endpoints.

Login

POST /api/v1/login
Authenticates a user and returns a JWT token for subsequent API requests.
The exact login endpoint path is configurable via app.login_endpoint in the configuration file. The default is /api/v1/login.
This endpoint is rate-limited to 3 requests per day to prevent brute-force attacks.

Request body

username
string
required
User’s username
password
string
required
User’s password

Response

token
string | null
JWT token for authenticated requests. null if authentication fails.
error
string | null
Error message if authentication fails. null on success.

Using the token

Once you receive a token, include it in the Authorization header of subsequent API requests: 
curl -X GET "https://archive.example.com/api/v1/reports" \
  -H "Authorization: Bearer YOUR_TOKEN_HERE"

Token expiration

There is no token logout endpoint. Tokens expire based on the configured JWT expiration time. To invalidate all tokens before expiration, the application’s secret key must be changed.

Rate limiting

The login endpoint is protected by rate limiting:
  • Maximum 3 login attempts per day per IP address
  • Rate limit resets after 24 hours
Exceeding the rate limit will result in a 429 Too Many Requests response.

Security considerations

Always use HTTPS in production to protect credentials and tokens during transmission.
  • Tokens are signed with the application’s secret key
  • Failed login attempts are rate-limited to prevent brute-force attacks
  • Usernames and passwords are trimmed of whitespace before validation
  • Passwords are hashed using scrypt with a 16-byte salt

Build docs developers (and LLMs) love

Get started for freeTalk to us