Skip to main content

Auth API Overview

The Informer Auth API provides comprehensive authentication and session management endpoints. All routes are prefixed with /api.

Features

  • Login/Logout - Session-based and SSO authentication
  • API Tokens - Create and manage long-lived API tokens for programmatic access
  • Session Management - Manage active sessions across devices
  • Password Management - Change passwords, reset forgotten passwords
  • MFA - Multi-factor authentication enrollment and verification
  • Impersonation - Admin users can impersonate other users for support
  • Captcha - Generate and verify captcha challenges

Authentication Strategies

Informer supports multiple authentication methods:

StrategyUse CaseEndpoint
Session (Cookie)Web application loginPOST /api/login/{domain}
API TokenProgrammatic accessToken in Authorization header
SSOSAML-based single sign-onGET /api/login/{domain}/sso

Session Management

Sessions are created on successful login and stored server-side:

  • Session ID - Stored in HTTP-only cookie (sid)
  • Expiration - Configurable timeout (default: tenant setting)
  • Parent Sessions - Support for impersonation hierarchy
  • Device Tracking - Records browser, OS, IP address

Common Response Patterns

Login Response

{
  "user": {
    "username": "admin",
    "displayName": "Administrator",
    "email": "admin@example.com"
  },
  "sid": "session-id-here",
  "jwt": "jwt-token-here",
  "wsToken": "websocket-token-here",
  "locale": "en-US",
  "lang": "en"
}

Error Responses

{
  "statusCode": 401,
  "error": "Unauthorized",
  "message": "Unable to log in"
}

Security Features

  • Account Lockout - Configurable login attempt limits
  • Password Expiration - Time-based password rotation
  • Password Strength - Enforced complexity requirements
  • MFA Support - TOTP and other authenticator methods
  • Rate Limiting - Prevents brute force attacks

Next Steps

Explore the specific endpoint categories: