Authentication

Learn how to securely authenticate with our API and understand how access is tied to the party type of the account issuing the tokens.

Requests use the HTTP Authorization header to authorize operations. The facilioo API accepts bearer tokens (JWT) in this header. These bearer tokens can be obtained using the /api/auth/login or /api/auth/refresh method.

📘

Level of Access

Access levels in the facilioo API depend on multiple factors. Beyond dynamic runtime checks, a core aspect is the party type your account belongs to — such as a property management company, contractor, or user. This information is embedded in the accessToken and determines which resources and operations are available.

To learn more about how accounts and party types relate, see the Parties and Accounts documentation.

Login

AttributeTypeDescription
emailstringEmail of the user
passwordstringThe password of the user
skipMultiFactorAuthenticationbooleanIf true, the user will not be asked for multifactor authentication

Access Token (JWT)

Both access tokens and refresh tokens use JWT open standard.

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE2NTE3NjAyNDIsImV4cCI6MTY1MTc2Mzg0MiwiaXNzIjoiZGV2LWFwaS5mYWNpbGlvby5kZSIsImF1ZCI6ImRldi1hcHAuZmFjaWxpb28uZGUiLCJzdWIiOnsiYWNjb3VudElkIjoyLCJjb21wYW55SWQiOjJ9fQ.KJPsiOzcu8SHXU_GhGz5qS6cg-moXAC83WOLI8J9vFLgk5k0MdkxR8S88Ri0BJuCmifFtHpbR7bH4tKxeF8-pW_wU08uQ_MJxJqcK9MOjyVITsLzok7RJxqevv0SjPZkgqqxGwgGbcgsYJaG2u44RYnnyf5xPce9MKQcfHa23C-NyQIBmseO7RdFNAFZM8Lc-nEf0tjJc3ciBdr7t_s8dUS2vCb4ALWj8Dhrs9UyO3bA1yMQt4xACfQzGbDMV_4R8nbgOL9KkywcmJD-JdcIiYIGk2GEhbhuL05CtJthZT4XWVE0wdA00YmDBdvuekzykDKalXU2C1ED3winvL6VGg
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAsYTOhgsDkokcFw97Sy9bR8Fi/PXTx+WwvSre0bHZwuyFelQmPriy
UVd7Rx23B+gR+elBgfyP+Tbv8AXCI6dBkyfTiJY5n3vrS2H7rh+Hi7JQ3x7ab0p4
bF8Vg0Tc7uYr9s1P2LO1ZwoBwu33xEwBh6tQAF7SYPJ2DwkGixX8YwNwGdNeOeja
/pwuLmCwooPpNRWLaKb7sVJr7lyaGbOuMG+8ZLq0NGxc8wnhlWAiFaxbttej10i4
3rxYImQyUYGKUIkgg8c7Z98lVxOf7+4q3Zu4P6TC3gdoCwYiJdY6hCwTMeYz2ZzH
rVFXoC/2PoneNX9a5w2nrha3aWaeBrj9xQIDAQAB
-----END RSA PUBLIC KEY-----
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAzSvRbPvzl1Vl9q7zPwZu8sG6pSDGXHzpMy4qjnec/jQokz1tqjAQ
DVgtc1XWs6qAWN+cgn8zEPGFe2PNg3+DaO0+KAU/hsT4tsitGhk8Iu9f4TD8Lqf0
k+PSJbBCZnTrnoJdhOnD+sxN0L7yKSBqrigZ696UuQMIz6gBB++l20jSfrEndd/u
6qHy94dZIZD8EzJiVScDVPiAIaE0EKsoSUKj6dxa4cbFesPp4gZj2CQq8bKbFEl7
8TWqyrvbGp1CxQabmPphQG5mZONBbx2WAUPtwaq/wAkt0KOxeUxndI3FDTk8HyOT
fIvxPNsQ+eAEB2qOOTlxsllhmwxZ0BwbLwIDAQAB
-----END RSA PUBLIC KEY-----
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEApv889ZfY92X5HgLU3BbC/TD79dQxMyUQsY0huNdL1uxaJADvjEQp
YZSoxHxu2ZA9CM3tbEM1fdPqAKktpg1JZb7rdpan2kXUsiJbketjRyRvvwbs76qU
o7TPt7AeJ3sGUShVtEetz7nVwjfN+adejobPEpAp4q/MG514zaLHO/+zfHudXQfM
bbsesVCwTP6R+S+VRBG0EWmFTnfiRpaps/9FnP+ThqHJmATWtEtQ7wt21KhalE0o
SQZTvL++drIyBeAE/SzDxw/cNfMuFm40OGBjYAncUkSMcZTzZ7BPi4Su1XKE/cgK
qguPVoZbGpldycK+pZozH2i4QSL8qm+8ZQIDAQAB
-----END RSA PUBLIC KEY-----

Note: The example token has expired and can't be used for authorization.

Type

Decoded (Example)

Description

Header

{ "alg": "RS256", "typ": "JWT" }

That does only specify the type of token an algorithm used.

Payload

{ "nbf": 1651760242, "exp": 1651763842, "iss": "dev-api.facilioo.de", "aud": "dev-app.facilioode", "sub": { "accountId": 2, "companyId": 2 } }

The attribute nbf does specify the time that the token can be used the earliest. Therefore, the token can't be used before. In this example, that's on 2022-05-05T16:17:22+0200.

The attribute exp does specify the time the token will expire. Expired tokens can't be used for authentication.

The iss attribute specifies the issuer of the token, which will be the facilioo API.

The aud attribute does specify the intended audience of the token and therefore the system (domain) which can use the token.

The sub attribute does contain the information about the user, such as the accountId and the companyId.

For more information about claims, please refer to RFC 7519 .

Signature

<omitted>

<omitted>

Refresh

When an access token reaches its expiration, any subsequent API call will result in a status code 401 Unauthorized error. To resolve this, the client should initiate a call to the refresh token endpoint. It is essential for the client to persistently store the refresh token.

By utilizing the refresh token in this scenario, the client can obtain both a new access token and a new refresh token. The newly received refresh token should be saved and used for all future refresh requests.

Request

AttributeTypeDescription
refreshTokenstringOne-time usable refresh token from the last login or refresh request.

Response

AttributeTypeDescription
accessTokenstringThe access token, which can be used to make new requests.
refreshTokenobjectThe refresh token to generate a new set.

Debugging

Use jwt.io to have a look at the tokens content.