Authentication

Magne uses JWT (JSON Web Tokens) for API authentication with a refresh token rotation scheme.

Auth Flow

Call POST /v1/auth/register or POST /v1/auth/login to receive an initial token pair.

{
  "token": "eyJhbGciOiJIUzI1NiIs...",
  "refreshToken": "550e8400-e29b-41d4...",
  "user": {
    "id": "...",
    "username": "example"
  }
}

Use the Access Token

Include the token in the Authorization header for all authenticated requests:

Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

Refresh When Expired

Access tokens are short-lived. When expired, use the refresh token:

POST /v1/auth/refresh
Content-Type: application/json

{
  "refreshToken": "550e8400-e29b-41d4..."
}

This returns a new access token AND a new refresh token (rotation). The old refresh token is invalidated.

Token	Lifetime	Storage
Access Token	Short-lived (minutes)	Memory only
Refresh Token	30 days	Secure storage, hashed in DB

These endpoints do not require a Bearer token:

Endpoint	Purpose
`POST /v1/auth/register`	Account registration
`POST /v1/auth/login`	Login
`POST /v1/auth/verify-email`	Email verification
`POST /v1/auth/resend-code`	Resend verification code
`POST /v1/auth/forgot-password`	Password reset request
`POST /v1/auth/reset-password`	Password reset execution
`POST /v1/auth/refresh`	Token refresh
`POST /v1/webhooks/:id/:token`	Webhook execution (token in URL)
`GET /v1/invites/:code/preview`	Invite preview
`GET /v1/health`	Health check