Authentication API
Overview
The Authentication API provides endpoints for user authentication, session management, and token exchange. All authenticated API calls require a valid access token obtained through the authentication flow.
Base URL
https://<manager-host>/api/v1/auth
Endpoints
POST /api/v1/auth/login
Create a session from email/password credentials.
Request:
POST /api/v1/auth/login
Content-Type: application/json
{
"email": "user@example.com",
"password": "Password1!"
}
Success Response (200):
{
"session_id": "session-1",
"session_token": "token-1",
"verified_at": "2024-01-01T00:00:00Z",
"expires_at": "2024-01-01T01:00:00Z"
}
Errors:
401- Authentication failure (invalid credentials)500- Backend/state errors
POST /api/v1/auth/token
Exchange a session for an access token (required for bearer auth).
Request:
POST /api/v1/auth/token
Content-Type: application/json
{
"session_id": "session-1",
"session_token": "token-1",
"grant_type": "session",
"scope": "openid profile"
}
Success Response (200):
{
"access_token": "<token>",
"scope": "openid profile",
"expires_in": 3600,
"token_type": "bearer"
}
Token Scopes
The scope parameter in the token exchange request is a space-separated string of permissions requested for the access token.
Scope Resolution When a token is requested, the backend system filters the requested scopes against the user’s actual permissions. The resulting access token will only contain the subset of requested scopes that the user is authorized to possess.
Naming and Design
Scope names are defined by the applications that consume the tokens, not by the central IAM system. To prevent collisions between different applications or modules, it is highly recommended that application developers use URN-style prefixes for scope names (e.g., urn:acd:manager:config:read).
Errors:
401- Authentication failure (invalid session)500- Backend/state errors
POST /api/v1/auth/logout
Revoke a session. Note: This does not revoke issued access tokens; they remain valid until expiration.
Request:
POST /api/v1/auth/logout
Content-Type: application/json
{
"session_id": "session-1",
"session_token": "token-1"
}
Success Response (200):
{
"status": "Ok"
}
Errors:
400- Invalid session parameters500- Backend/state errors
Complete Authentication Flow Example
# Step 1: Login to get session
curl -s -X POST "https://cdn-manager/api/v1/auth/login" \
-H "Content-Type: application/json" \
-d '{
"email": "user@example.com",
"password": "Password1!"
}' | tee /tmp/session.json
SESSION_ID=$(jq -r '.session_id' /tmp/session.json)
SESSION_TOKEN=$(jq -r '.session_token' /tmp/session.json)
# Step 2: Exchange session for access token
curl -s -X POST "https://cdn-manager/api/v1/auth/token" \
-H "Content-Type: application/json" \
-d "$(jq -nc --arg sid "$SESSION_ID" --arg st "$SESSION_TOKEN" \
'{session_id:$sid,session_token:$st,grant_type:"session",scope:"openid"}')" \
| tee /tmp/token.json
ACCESS_TOKEN=$(jq -r '.access_token' /tmp/token.json)
# Step 3: Call a protected endpoint
curl -s "https://cdn-manager/api/v1/metrics" \
-H "Authorization: Bearer ${ACCESS_TOKEN}"
Using the Access Token
Once you have obtained an access token, include it in the Authorization header of all API requests:
Authorization: Bearer <access_token>
Example:
curl -s "https://cdn-manager/api/v1/configuration" \
-H "Authorization: Bearer ${ACCESS_TOKEN}"
Token Expiration
Access tokens expire after the duration specified in expires_in (typically 3600 seconds / 1 hour). When a token expires, you must re-authenticate to obtain a new token.
Next Steps
- Health API - Liveness and readiness probes
- Selection Input API - Key-value and list storage
- OpenAPI Specification - Complete API specification