Authentication API
Overview
User authentication and token management endpoints. For user registration, see Profiles API.
Endpoints
Login
Authenticate with email/password and receive an access token.
Authentication: Not required
Request:
Response:
| Field | Type | Description |
|---|---|---|
tnId |
number | Tenant ID |
idTag |
string | User identity tag |
name |
string | Display name |
token |
string | JWT access token |
roles |
string[] | User roles (e.g., user, SADM) |
profilePic |
string | Profile picture file ID |
settings |
[string, string][] | User settings as key-value pairs |
swEncryptionKey |
string | Service worker encryption key for push notifications (optional) |
Combined Login Init
Combined login initialization that returns all available authentication methods in a single request. If the user already has a valid token, returns the authenticated session directly.
Authentication: Optional
Response (unauthenticated):
Response (already authenticated):
Logout
Invalidate the current session.
Authentication: Required
Change Password
Change the authenticated user’s password.
Authentication: Required
Request:
Response:
Set Password
Set a new password using a reset token. Used during password recovery flow.
Authentication: Not required
Request:
Response:
Forgot Password
Request a password reset email.
Authentication: Not required
Request:
Response:
Refresh Login Token
Refresh the authentication token before it expires.
Authentication: Not required (uses existing valid token)
Response:
Get Access Token
Exchange credentials or tokens for a scoped access token. Supports multiple authentication methods.
Authentication: Not required
Query Parameters:
token- Existing token to exchangerefId- Reference ID for share linksapiKey- API key for programmatic accessscope- Requested scope (optional)refresh- Set totrueto refresh an existing token
Response:
Get Proxy Token
Get a proxy token for accessing remote resources via federation.
Authentication: Required
Query Parameters:
target- Target identity for federation
Response:
QR Code Login
QR code login allows users to authenticate on a desktop browser by scanning a QR code with their mobile device.
Initialize QR Login
Start a QR login session. The returned sessionId is encoded in the QR code, while the secret is kept by the initiating client for verification.
Authentication: Not required
Response:
Poll QR Login Status
Long-poll the QR login session for status changes. The request blocks until the status changes or the timeout expires.
Authentication: Not required
Path Parameters:
session_id- The session ID from the init response
Query Parameters:
timeout- Long-poll timeout in seconds (default: 15, max: 30)
Headers:
x-qr-secret- The secret from the init response (required for verification)
Response:
Status Values:
| Status | Description |
|---|---|
pending |
Waiting for mobile device to scan |
approved |
User approved on mobile - login field included |
denied |
User denied on mobile |
expired |
Session timed out |
Get QR Login Details
Get the details of a QR login session. Called by the mobile device after scanning the QR code to display the login request to the user.
Authentication: Required
Path Parameters:
session_id- The session ID encoded in the QR code
Response:
Respond to QR Login
Approve or deny a QR login request from the mobile device.
Authentication: Required
Path Parameters:
session_id- The session ID from the QR code
Request:
| Field | Type | Required | Description |
|---|---|---|---|
approved |
boolean | Yes | Whether to approve or deny the login |
Response:
WebAuthn (Passkey) Authentication
WebAuthn enables passwordless authentication using passkeys (biometrics, security keys, etc.).
List Passkey Registrations
List all registered passkeys for the authenticated user.
Authentication: Required
Response:
Get Registration Challenge
Get a challenge for registering a new passkey.
Authentication: Required
Response:
Register Passkey
Complete passkey registration with the WebAuthn response.
Authentication: Required
Request:
Response:
Delete Passkey
Remove a registered passkey.
Authentication: Required
Path Parameters:
key_id- The passkey identifier to delete
Response:
Get Login Challenge
Get a challenge for passkey authentication.
Authentication: Not required
Query Parameters:
idTag- User identity (optional, for usernameless flow)
Response:
Login with Passkey
Authenticate using a passkey.
Authentication: Not required
Request:
Response:
API Key Management
API keys enable programmatic access without interactive login.
List API Keys
List all API keys for the authenticated user.
Authentication: Required
Response:
Create API Key
Create a new API key.
Authentication: Required
Request:
Response:
Warning
The key field is only returned once at creation. Store it securely.
Get API Key
Get details of a specific API key.
Authentication: Required
Path Parameters:
key_id- The API key identifier
Response:
Update API Key
Update an API key’s metadata.
Authentication: Required
Path Parameters:
key_id- The API key identifier
Request:
Response:
Delete API Key
Revoke and delete an API key.
Authentication: Required
Path Parameters:
key_id- The API key identifier
Response:
Public Endpoints
Get Tenant Profile (Public)
Get the tenant (server) profile with public keys. This is a public endpoint that returns the server’s identity information.
Note: Both paths return the same data; /full is an alias for compatibility.
Authentication: Not required
Response:
Resolve Identity Tag
Resolve a domain-based identity to a Cloudillo server. This is part of the DNS-based identity system.
Authentication: Not required
Query Parameters:
idTag- The identity to resolve (e.g.,alice@example.com)
Response:
Get VAPID Public Key
Get the VAPID public key for push notification subscriptions.
Authentication: Required
Response:
See Also
- Profiles API - User registration and profile management
- Admin API - Administrative endpoints