Authentication and Authorization Mechanisms

Login: A user provides their email and password. Upon successful login, the server responds with an access token (JWT), which is used for subsequent API requests.
If additional verification is required (e.g. MFA), the server may return a temporary session identifier and require further verification before issuing the access token.
Validation: The system checks the credentials against the database and responds with either a success message and token or an error if the credentials are incorrect.

2. Token Granting and Authentication (JWT)

Authentication is based on either JWT (JSON Web Tokens):

JWT: Upon successful login, the system returns a JWT that serves as proof of authentication. The token is used for each subsequent API call and must be included in the Authorization header as: Bearer {token}

The system may also issue a refresh token, which is used to obtain a new access token when the current one expires.

Logout: To log out, users can send a POST request to the logout endpoint
This request invalidates the refresh token on the server side.
The access token will expire naturally.
Session Issues: Session-related issues, such as token expiry or invalid session states, will result in a 401 Unauthorized response.

Before returning a 401 response, the system may attempt to refresh the access token using a valid refresh token.

If the refresh process fails, the user is considered unauthenticated.