Skip to content

Token Authentication

Overview

Bearer tokens authenticate requests to the Tenant API, Admin API, and Billing Portal. Tokens are issued via the login endpoint and carry ability scopes.

Obtaining a Token

Endpoint: POST /api/auth/login

json
{
  "email": "admin@example.com",
  "password": "your-password"
}

Response (200):

json
{
  "data": {
    "token": "1|abc123def456...",
    "admin": {
      "id": 1,
      "name": "Ian Holt",
      "email": "admin@example.com",
      "created_at": "2026-03-30T00:00:00.000000Z",
      "updated_at": "2026-03-30T00:00:00.000000Z"
    }
  },
  "meta": {
    "api_version": "1",
    "request_id": "uuid"
  }
}

Using a Token

Include the token in the Authorization header:

GET /api/v1/admin/tenants
Authorization: Bearer 1|abc123def456...
Content-Type: application/json

Token Abilities

AbilityIssued toGrants access to
adminAdmin users/api/v1/admin/*, /api/auth/logout, /api/auth/me
tenantTenant users/api/v1/tenant/*, /api/v1/billing/*

Admin tokens cannot access tenant routes. Tenant tokens cannot access admin routes.

Multi-Tenant Header

If your user belongs to multiple tenants, include the X-Tenant-ID header:

GET /api/v1/tenant/products
Authorization: Bearer {token}
X-Tenant-ID: tenant-uuid-here

If your user belongs to only one tenant, this header is optional — the tenant is auto-selected.

Logging Out

Endpoint: POST /api/auth/logoutAuth: Bearer token

Revokes the current token. Returns 204 No Content.

Token Lifecycle

  • Tokens do not expire by default (Sanctum default behavior)
  • Tokens are revoked on logout
  • A 401 response indicates the token is invalid or revoked
  • Rate limiting on login: 5 attempts per 60 seconds

Error Codes

CodeHTTPDescription
AUTH.INVALID_CREDENTIALS401Wrong email or password
AUTH.UNAUTHENTICATED401Missing or invalid token
AUTH.INSUFFICIENT_PERMISSIONS403Token lacks required ability
AUTH.TOKEN.REQUIRED401No authentication provided
AUTH.TOKEN.INVALID_SCOPE403Token missing required scope (e.g., tenant)