Authentication

The Inpera API supports JWT-based authentication with HTTP-only cookies and project key authentication.

Login

POST /auth/login
Content-Type: application/json

{
  "email": "[email protected]",
  "password": "your-password",
  "twoFactorToken": "optional-2fa-code"
}

Response sets HTTP-only cookies for accessToken and refreshToken.

Register

POST /auth/register
Content-Type: application/json

{
  "email": "[email protected]",
  "password": "secure-password",
  "name": "John Doe"
}

Token Refresh

POST /auth/refresh

Uses the refreshToken cookie or body:

{
  "refreshToken": "your-refresh-token"
}

Logout

POST /auth/logout

Clears authentication cookies and blacklists the current token.

Password Reset

Request Reset

POST /auth/request-password-reset
{
  "email": "[email protected]"
}

Sends OTP code to email.

Verify OTP

POST /auth/verify-password-reset-otp
{
  "email": "[email protected]",
  "otpCode": "123456"
}

Returns a reset token.

Reset Password

POST /auth/reset-password-with-token
{
  "resetToken": "token-from-verify",
  "newPassword": "new-secure-password"
}

Change Password

POST /auth/change-password
Authorization: Bearer YOUR_TOKEN

{
  "currentPassword": "current-password",
  "newPassword": "new-password"
}

Invitations

Get Invitation

GET /auth/invitation/:token

Accept Invitation

POST /auth/invitation/:token/accept
{
  "password": "new-password",
  "name": "John Doe"
}

WebSocket Authentication

GET /auth/websocket-token
Authorization: Bearer YOUR_TOKEN

Returns a short-lived token for WebSocket connections.

Project Key Authentication

For embed script and public endpoints:

POST /v1/collect
x-project-key: YOUR_PROJECT_KEY

{ ... }

POST /annotations/public
x-project-key: YOUR_PROJECT_KEY

{ ... }