|
MantisBase v0.3.7
|
MantisBase provides authentication endpoints scoped to auth-type entities. Each auth entity exposes login, refresh, and logout under /api/v1/auth/<entity>/.
Admin authentication uses /api/v1/sys/admins/ instead.
<entity> must be a registered entity that is:
authmb_admins)has_api: true)If the entity is missing or does not meet these requirements, the route returns 404 Route Not Found.
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/v1/auth/<entity>/login | Authenticate user and get token |
| POST | /api/v1/auth/<entity>/refresh | Refresh an existing token |
| POST | /api/v1/auth/<entity>/logout | Logout (invalidate token) |
For admin authentication and initial setup, see System Endpoints – Admin Accounts (/api/v1/sys/admins/).
Authenticate a user and receive a JWT token.
⚠️ Rate Limiting: Login is rate-limited to 5 attempts per minute per IP address to prevent brute force attacks. If you exceed this limit, you'll receive a
429 Too Many Requestsresponse with aRetry-Afterheader indicating when you can try again.
Endpoint: POST /api/v1/auth/<entity>/login
Request Body:
Request Fields:
identity (required): User identifier — email address or user IDpassword (required): User's passwordThe target entity is taken from the URL path, not the request body.
Response (Success - 200):
Response (Error - 404):
Response (Rate Limited - 429):
The rate limit response includes these headers:
X-RateLimit-Limit: Maximum requests allowed (5)X-RateLimit-Remaining: Remaining requests in window (0 when rate limited)X-RateLimit-Reset: Unix timestamp when the window resetsRetry-After: Seconds to wait before retryingExamples:
Login with email:
Login with user ID:
Refresh an existing JWT token to extend its validity.
Endpoint: POST /api/v1/auth/<entity>/refresh
Request Headers:
Response (Success - 200):
Example:
Logout and invalidate the current token.
Endpoint: POST /api/v1/auth/<entity>/logout
Request Headers:
Response (Success - 200):
Example:
Admin account setup and admin-only authentication use the /api/v1/sys/admins/ namespace. See System Endpoints – Admin Accounts in the API reference.
Initial setup: POST /api/v1/sys/admins/setup (only when no admin accounts exist)
Admin login: POST /api/v1/sys/admins/login
After receiving a token from the login endpoint, include it in all subsequent API requests:
The token contains user information (id, entity) and is validated automatically by the getAuthToken() middleware on all endpoints.
By default, tokens expire after 1 hour. Use the refresh endpoint to extend token validity without requiring the user to log in again.
The authentication API provides secure user authentication with JWT tokens scoped to auth-type entities. Tokens are automatically validated on all entity endpoints, ensuring only authenticated users can access protected resources.