This documents how to use authentication in your API requests when you are working on a web application that lives on AMO domain or subdomain. If you are looking for how to authenticate with the API from an external client, using your API keys, read the documentation for external authentication instead.
When using this authentication mechanism, the server is responsible for
creating a JSON Web Token (JWT) when the user logs in, and sends it back in
the response. The clients must then include that token as an
header on requests that need authentication. The clients never generate JWTs
Fetching the JWT¶
A fresh JWT, valid for 30 days, is automatically generated and added to the responses of the following endpoints:
A JWT may also be obtained through the JSON API as outlined in the internal login JSON API section. This is only accessible through the VPN and requires using the following endpoints:
The token is available in two forms:
- For the endpoints returning JSON, as a property called
- For all endpoints, as a cookie called
jwt_api_auth_token. This cookie expires after 30 days and is set as
Verifying a JWT¶
You can verify that a token is valid by calling:
Request JSON Object:
- token (string) – The JWT you want to verify.
If a 400 Bad Request error is returned, the body of the response may contain additional information explaining why the token is invalid.