JWT Authentification - Getting started with examples

Owned by Joël DRIGO
Last updated: Nov 10, 2023
2 min read

This document provides examples for API calls to obtain a JWT token, use it, and revoke it.

  1. Sign-in Service
    The sign-in service uses credentials to issue a refresh token, which has a limited lifespan (default 24 hours, configurable per environment). This refresh token is used to obtain access tokens.

    Sign-in Endpoint:
    POST /api/rest/signin
    Parameters (multipart/form-data):

    • login: User's login ID

    • password: User's password

    Response: A JSON object containing:

    • refreshToken: Refresh JWT Token

    • accessToken: Access JWT Token

    A 201 status in the response indicates token creation.

    Example (curl):

    curl --request POST \ --url 'https://club-wed.wedia-group.com/api/rest/signin?=' \ --header 'Content-Type: multipart/form-data' \ --form login=john.doe@email.org \ --form 'password=#thePassword1234!'

  2. Token Service
    This service is used to obtain an access token with limited duration (default 20 minutes, configurable). The response is the same as for the signin service.

    Token Endpoint:
    POST /api/rest/token
    Parameter:

    • token: The refresh token

    The token can also be passed as a bearer.

    Example (curl):

    curl --request POST \ --url https://club-wed.wedia-group.com/api/rest/token \ --header 'Content-Type: multipart/form-data' \ --form token=<the refresh JWT token>

  3. Sign-out Service
    This service revokes the refresh token, making it unusable for future access token generation.

    Sign-out Endpoint:
    POST /api/rest/signout
    Parameter:

    • token: The refresh token

    The token can also be passed as a bearer.

    Example (curl):

    curl --request POST \ --url https://club-wed.wedia-group.com/api/rest/signout\ --header 'Content-Type: multipart/form-data' \ --form token=<the refresh JWT token>

  4. Login with Application Key
    For API key login, the same services are used with an additional parameter for the sign-in service:

    • login: The key

    • password: The secret

    • application: Application name

  5. Invoking Services
    To invoke a service, pass the access token in the Authentication header as a bearer.

    Example (curl):

  6. Web Application Login using Cookies
    When using these services in a web application, it's preferable to encapsulate the token within a cookie. This is done automatically by adding cookieauth=true to the sign-in service parameters. For any other services (including token refresh and sign-out services), the cookie is passed by the browser.

  7. Specifying Token Duration
    By default, the refresh token expires after 24 hours and the access token after 20 minutes (configurable per environment). If allowed, and depending on the environment, a longer-duration token can be obtained during sign-in using:

    • exp: Token expiration time (UTC Unix epoch time, ISO datetime, or 'unlimited')

    In cookie mode, the token duration is "session", meaning it expires when the session does.