Skip to content

Authentication

Today the API authenticates with an opaque session bearer token. You obtain one by logging in with your operator credentials, then send it as an Authorization: Bearer <token> header on every request. This is the canonical auth flow - other pages refer back here.

Log in with POST /api/auth/login to mint a session and receive a token.

Method Path Purpose Auth
POST /api/auth/login Log in, mint a session token public
GET /api/auth/me Return the authenticated user session
POST /api/auth/logout Invalidate the current session session

The body takes email and password. A successful login returns { user, token } - store token and send it on subsequent requests.

Terminal window
curl -X POST "https://thesidedoor.co/api/auth/login" \
-H "Content-Type: application/json" \
-d '{"email":"operator@example.com","password":"your-password"}'
{
"user": { "id": "usr_123", "role": "client", "name": "Jo Operator" },
"token": "s3ss10n.abc123signaturepart"
}

If the account has TOTP two-factor enabled, POST /api/auth/login does not return a token. Instead it returns { requires_2fa: true, user_id }. Complete the login by posting the current 6-digit code to POST /api/2fa/validate with { user_id, token }; that call returns the usual { user, token }.

{ "requires_2fa": true, "user_id": "usr_123" }

Send the token as a bearer header. Store it in the SIDEDOOR_TOKEN environment variable and reuse it across calls. GET /api/auth/me is a good check that a token is valid.

Terminal window
curl "https://thesidedoor.co/api/auth/me" \
-H "Authorization: Bearer $SIDEDOOR_TOKEN"
{ "user": { "id": "usr_123", "role": "client", "name": "Jo Operator" } }

Sessions are stored server-side and slide on use - each authenticated request extends the expiry. TTLs depend on the account role:

Role Sliding TTL
Operator/staff (client, organiser) 3 days
Admin 24 hours

A missing or expired token on any /api/* route returns 401:

{ "error": "Session expired. Please sign in again." }

Re-run the login flow to mint a fresh token.

POST /api/auth/logout invalidates the current session server-side. Discard the token afterwards.

Terminal window
curl -X POST "https://thesidedoor.co/api/auth/logout" \
-H "Authorization: Bearer $SIDEDOOR_TOKEN"
{ "success": true }