Skip to content

Authentication

CloudWA supports two authentication methods:

  1. JWT Tokens (Cookies or Header) - For user sessions and frontend applications
  2. API Keys - For server-to-server integrations and automation

After logging in or registering, the server sets three secure cookies:

  • whm_access - Secure, httpOnly cookie containing the short-lived access token.
  • whm_refresh - Secure, httpOnly cookie containing the refresh token. Scoped to /api/auth/refresh for security.
  • whm_csrf - A JavaScript-readable cookie containing a random CSRF token to prevent cross-site request forgery.

Alternatively, for headless clients or API integrations, you can include the access token in the Authorization: Bearer <token> header or use an API key in the X-API-Key header.

Create a new user account within an existing organization. Registration requires an organization_id, which is typically provided via an invitation link.

Terminal window
POST /api/auth/register
{
"email": "user@example.com",
"password": "securepassword123",
"full_name": "John Doe",
"organization_id": "uuid"
}
FieldTypeRequiredDescription
emailstringYesUser’s email address
passwordstringYesMinimum 12 characters
full_namestringYesDisplay name
organization_idstringYesUUID of the organization to join

The response body contains user information and the token expiration details, while the actual JWT tokens are set as secure HTTP cookies (whm_access and whm_refresh).

{
"status": "success",
"data": {
"expires_in": 3600,
"user": {
"id": "uuid",
"organization_id": "uuid",
"email": "user@example.com",
"full_name": "John Doe",
"role_id": "uuid",
"is_active": true,
"is_available": true,
"is_super_admin": false,
"created_at": "2024-01-01T00:00:00Z",
"updated_at": "2024-01-01T00:00:00Z",
"role": {
"id": "uuid",
"name": "agent",
"description": "Standard Agent role"
}
}
}
}

Authenticate and receive tokens via cookies.

Terminal window
POST /api/auth/login
{
"email": "user@example.com",
"password": "securepassword123"
}

The response body contains user information and token expiration details. The JWT access and refresh tokens are set via secure, httpOnly cookies.

{
"status": "success",
"data": {
"expires_in": 3600,
"user": {
"id": "uuid",
"organization_id": "uuid",
"email": "user@example.com",
"full_name": "John Doe",
"role_id": "uuid",
"is_active": true,
"is_available": true,
"is_super_admin": false,
"created_at": "2024-01-01T00:00:00Z",
"updated_at": "2024-01-01T00:00:00Z"
}
}
}

Get a new access token using your refresh token. The server rotates the refresh token upon consumption (refresh token rotation).

Terminal window
POST /api/auth/refresh

If the client does not send cookies (e.g. headless scripts), the refresh token can optionally be provided in the request body:

{
"refresh_token": "eyJhbGciOiJIUzI1NiIs..."
}

Returns new tokens as secure cookies and the user metadata.

{
"status": "success",
"data": {
"expires_in": 3600,
"user": {
"id": "uuid",
"organization_id": "uuid",
"email": "user@example.com",
"full_name": "John Doe",
"role_id": "uuid",
"is_active": true,
"is_available": true,
"is_super_admin": false,
"created_at": "2024-01-01T00:00:00Z",
"updated_at": "2024-01-01T00:00:00Z"
}
}
}

Switch the current user’s active organization. Returns new tokens scoped to the target organization with the user’s org-specific role and permissions.

Terminal window
POST /api/auth/switch-org
{
"organization_id": "uuid"
}

The response body returns updated details of the user scoped to the new organization, along with new access and refresh cookies.

{
"status": "success",
"data": {
"expires_in": 3600,
"user": {
"id": "uuid",
"organization_id": "uuid",
"email": "user@example.com",
"full_name": "John Doe",
"role_id": "uuid",
"is_active": true,
"is_available": true,
"is_super_admin": false,
"created_at": "2024-01-01T00:00:00Z",
"updated_at": "2024-01-01T00:00:00Z",
"role": {
"id": "uuid",
"name": "agent",
"description": "Standard Agent role",
"permissions": [
{ "resource": "contacts", "action": "read" },
{ "resource": "messages", "action": "read" }
]
}
}
}
}

Log out the current user session. This endpoint invalidates the user’s refresh token inside the Redis store and clears all set authentication cookies.

Terminal window
POST /api/auth/logout

If cookies are not used, the client can optionally specify the refresh token to invalidate:

{
"refresh_token": "eyJhbGciOiJIUzI1NiIs..."
}
{
"status": "success",
"data": {
"status": "logged_out"
}
}

Get a short-lived single-use JWT token for authenticating WebSocket connections. Since secure HTTP-only cookies cannot be accessed by client-side JavaScript, this endpoint provides a safe way to retrieve a token to pass via query parameters when establishing a WebSocket connection.

Terminal window
GET /api/auth/ws-token
{
"status": "success",
"data": {
"token": "eyJhbGciOiJIUzI1NiIs..."
}
}

CloudWA supports Single Sign-On (SSO) using OAuth2/OIDC. This allows users to authenticate using external identity providers such as Google, Microsoft, GitHub, Facebook, or a custom OIDC provider.

Retrieve enabled SSO providers for displaying login buttons on the sign-in page.

Terminal window
GET /api/auth/sso/providers
{
"status": "success",
"data": [
{
"provider": "google",
"name": "Google"
},
{
"provider": "github",
"name": "GitHub"
}
]
}

Start the OAuth2 login flow for a specific provider. This endpoint generates a secure state token and redirects the user to the provider’s authorization page.

Terminal window
GET /api/auth/sso/{provider}/init
ParameterTypeRequiredDescription
providerstringYesThe identity provider name: google, microsoft, github, facebook, or custom

Handle the redirect callback from the identity provider after the user authorizes access.

Terminal window
GET /api/auth/sso/{provider}/callback
ParameterTypeRequiredDescription
providerstringYesThe identity provider name: google, microsoft, github, facebook, or custom
ParameterTypeRequiredDescription
codestringYes (on success)The authorization code returned by the provider
statestringYesThe state nonce used to verify request integrity and prevent CSRF
errorstringNo (on failure)The error code if authorization failed
error_descriptionstringNo (on failure)A description of why the authorization failed

Include the access token in the Authorization header for all protected API requests:

Terminal window
curl -X GET "https://dashboard.cloudwa.net/api/contacts" \
-H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..."
Token TypeDefault Expiration
Access Token1 hour
Refresh Token7 days