Learn how to securely authenticate with our API and understand how access is tied to the party type of the account issuing the tokens.
Requests use the HTTP Authorization
header to authorize operations. The facilioo API accepts bearer tokens (JWT) in this header. These bearer tokens can be obtained using the /api/auth/login or /api/auth/refresh method.
Level of AccessAccess levels in the facilioo API depend on multiple factors. Beyond dynamic runtime checks, a core aspect is the party type your account belongs to — such as a property management company, contractor, or user. This information is embedded in the
accessToken
and determines which resources and operations are available.To learn more about how accounts and party types relate, see the Parties and Accounts documentation.
Login
Attribute | Type | Description |
---|---|---|
email | string | Email of the user |
password | string | The password of the user |
skipMultiFactorAuthentication | boolean | If true , the user will not be asked for multifactor authentication |
Access Token (JWT)
Both access tokens and refresh tokens use JWT open standard.
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE2NTE3NjAyNDIsImV4cCI6MTY1MTc2Mzg0MiwiaXNzIjoiZGV2LWFwaS5mYWNpbGlvby5kZSIsImF1ZCI6ImRldi1hcHAuZmFjaWxpb28uZGUiLCJzdWIiOnsiYWNjb3VudElkIjoyLCJjb21wYW55SWQiOjJ9fQ.KJPsiOzcu8SHXU_GhGz5qS6cg-moXAC83WOLI8J9vFLgk5k0MdkxR8S88Ri0BJuCmifFtHpbR7bH4tKxeF8-pW_wU08uQ_MJxJqcK9MOjyVITsLzok7RJxqevv0SjPZkgqqxGwgGbcgsYJaG2u44RYnnyf5xPce9MKQcfHa23C-NyQIBmseO7RdFNAFZM8Lc-nEf0tjJc3ciBdr7t_s8dUS2vCb4ALWj8Dhrs9UyO3bA1yMQt4xACfQzGbDMV_4R8nbgOL9KkywcmJD-JdcIiYIGk2GEhbhuL05CtJthZT4XWVE0wdA00YmDBdvuekzykDKalXU2C1ED3winvL6VGg
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAsYTOhgsDkokcFw97Sy9bR8Fi/PXTx+WwvSre0bHZwuyFelQmPriy
UVd7Rx23B+gR+elBgfyP+Tbv8AXCI6dBkyfTiJY5n3vrS2H7rh+Hi7JQ3x7ab0p4
bF8Vg0Tc7uYr9s1P2LO1ZwoBwu33xEwBh6tQAF7SYPJ2DwkGixX8YwNwGdNeOeja
/pwuLmCwooPpNRWLaKb7sVJr7lyaGbOuMG+8ZLq0NGxc8wnhlWAiFaxbttej10i4
3rxYImQyUYGKUIkgg8c7Z98lVxOf7+4q3Zu4P6TC3gdoCwYiJdY6hCwTMeYz2ZzH
rVFXoC/2PoneNX9a5w2nrha3aWaeBrj9xQIDAQAB
-----END RSA PUBLIC KEY-----
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAzSvRbPvzl1Vl9q7zPwZu8sG6pSDGXHzpMy4qjnec/jQokz1tqjAQ
DVgtc1XWs6qAWN+cgn8zEPGFe2PNg3+DaO0+KAU/hsT4tsitGhk8Iu9f4TD8Lqf0
k+PSJbBCZnTrnoJdhOnD+sxN0L7yKSBqrigZ696UuQMIz6gBB++l20jSfrEndd/u
6qHy94dZIZD8EzJiVScDVPiAIaE0EKsoSUKj6dxa4cbFesPp4gZj2CQq8bKbFEl7
8TWqyrvbGp1CxQabmPphQG5mZONBbx2WAUPtwaq/wAkt0KOxeUxndI3FDTk8HyOT
fIvxPNsQ+eAEB2qOOTlxsllhmwxZ0BwbLwIDAQAB
-----END RSA PUBLIC KEY-----
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEApv889ZfY92X5HgLU3BbC/TD79dQxMyUQsY0huNdL1uxaJADvjEQp
YZSoxHxu2ZA9CM3tbEM1fdPqAKktpg1JZb7rdpan2kXUsiJbketjRyRvvwbs76qU
o7TPt7AeJ3sGUShVtEetz7nVwjfN+adejobPEpAp4q/MG514zaLHO/+zfHudXQfM
bbsesVCwTP6R+S+VRBG0EWmFTnfiRpaps/9FnP+ThqHJmATWtEtQ7wt21KhalE0o
SQZTvL++drIyBeAE/SzDxw/cNfMuFm40OGBjYAncUkSMcZTzZ7BPi4Su1XKE/cgK
qguPVoZbGpldycK+pZozH2i4QSL8qm+8ZQIDAQAB
-----END RSA PUBLIC KEY-----
Note: The example token has expired and can't be used for authorization.
Type | Decoded (Example) | Description |
---|---|---|
Header |
| That does only specify the type of token an algorithm used. |
Payload |
| The attribute The attribute The The The For more information about claims, please refer to RFC 7519 . |
Signature | <omitted> | <omitted> |
Refresh
When an access token reaches its expiration, any subsequent API call will result in a status code 401 Unauthorized error. To resolve this, the client should initiate a call to the refresh token endpoint. It is essential for the client to persistently store the refresh token.
By utilizing the refresh token in this scenario, the client can obtain both a new access token and a new refresh token. The newly received refresh token should be saved and used for all future refresh requests.
Request
Attribute | Type | Description |
---|---|---|
refreshToken | string | One-time usable refresh token from the last login or refresh request. |
Response
Attribute | Type | Description |
---|---|---|
accessToken | string | The access token, which can be used to make new requests. |
refreshToken | object | The refresh token to generate a new set. |
Debugging
Use jwt.io to have a look at the tokens content.