API Authentication
Learn how to authenticate with the BotLaunch API using JWT tokens. Secure your requests and manage access to your resources.
Secure stateless authentication using JSON Web Tokens.
Access tokens expire in 1 hour, refresh tokens in 7 days.
Use refresh tokens to obtain new access tokens seamlessly.
Authentication Flow
Follow these steps to authenticate and make secure API requests.
Login
Obtain tokens with credentials
Store Tokens
Securely store both tokens
Make Requests
Include token in headers
Refresh
Get new token when expired
Authentication Endpoints
/api/auth/loginAuthenticate a user and receive access and refresh tokens.
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
| string | User's email address | ||
| password | string | User's password |
Example Request
curl -X POST "https://api.botlaunch.io/api/auth/login" \
-H "Content-Type: application/json" \
-d '{
"email": "user@example.com",
"password": "your-secure-password"
}'Example Response
{
"data": {
"accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"expiresIn": 3600,
"user": {
"id": "usr_abc123",
"email": "user@example.com",
"role": "CLIENT_OWNER"
}
},
"message": "Login successful"
}/api/auth/registerCreate a new user account and organization.
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
| string | Valid email address | ||
| password | string | Min 8 chars, 1 uppercase, 1 number | |
| name | string | User's full name | |
| organizationName | string | Optional | Organization name |
Example Request
curl -X POST "https://api.botlaunch.io/api/auth/register" \
-H "Content-Type: application/json" \
-d '{
"email": "newuser@example.com",
"password": "SecureP@ssw0rd!",
"name": "John Doe",
"organizationName": "My Company"
}'/api/auth/refreshExchange a refresh token for a new access token.
Example Request
curl -X POST "https://api.botlaunch.io/api/auth/refresh" \
-H "Content-Type: application/json" \
-d '{
"refreshToken": "your-refresh-token"
}'Token Rotation
Each refresh request returns a new refresh token. Store and use the latest refresh token for subsequent requests.
/api/auth/logoutInvalidate the current session and revoke tokens.
Example Request
curl -X POST "https://api.botlaunch.io/api/auth/logout" \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
-H "Content-Type: application/json"Using Access Tokens
Include your access token in the Authorization header for all API requests.
// Include the access token in all API requests
const response = await fetch("https://api.botlaunch.io/api/bots", {
headers: {
"Authorization": "Bearer eyJhbGciOiJIUzI1NiIs...",
"x-organization-id": "org_xyz789",
"Content-Type": "application/json"
}
});Required Headers
AuthorizationBearer tokenx-organization-idOrganization IDContent-Typeapplication/jsonSecurity Best Practices
- Store tokens securely (never in localStorage for web)
- Use HTTPS for all API requests
- Implement token refresh before expiry
- Revoke tokens on logout or security events
Authentication Errors
Common authentication errors and how to handle them.
| Status | Error | Description | Solution |
|---|---|---|---|
| 401 | Unauthorized | Missing or invalid token | Check Authorization header |
| 401 | Token Expired | Access token has expired | Use refresh token to get new access token |
| 403 | Forbidden | Insufficient permissions | Check user role and organization access |
| 429 | Too Many Requests | Login rate limit exceeded | Wait and retry after cooldown |
| 400 | Invalid Credentials | Wrong email or password | Verify credentials and try again |