facilioo Websitefacilioo Platform
API Reference
Contact
Start typing to search…

Authentication

Learn how to securely authenticate with our API and understand how access is tied to the party type of the account issuing the tokens.

Requests use the HTTP Authorization header to authorize operations. The facilioo API accepts bearer tokens (JWT) in this header. These bearer tokens can be obtained using the /api/auth/login or /api/auth/refresh method.

📘

Level of Access

Access levels in the facilioo API depend on multiple factors. Beyond dynamic runtime checks, a core aspect is the party type your account belongs to — such as a property management company, contractor, or user. This information is embedded in the accessToken and determines which resources and operations are available.

To learn more about how accounts and party types relate, see the Parties and Accounts documentation.

Login

AttributeTypeDescription
emailstringEmail of the user
passwordstringThe password of the user
skipMultiFactorAuthenticationbooleanIf true, the user will not be asked for multifactor authentication

Access Token (JWT)

Both access tokens and refresh tokens use JWT open standard.

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE2NTE3NjAyNDIsImV4cCI6MTY1MTc2Mzg0MiwiaXNzIjoiZGV2LWFwaS5mYWNpbGlvby5kZSIsImF1ZCI6ImRldi1hcHAuZmFjaWxpb28uZGUiLCJzdWIiOnsiYWNjb3VudElkIjoyLCJjb21wYW55SWQiOjJ9fQ.KJPsiOzcu8SHXU_GhGz5qS6cg-moXAC83WOLI8J9vFLgk5k0MdkxR8S88Ri0BJuCmifFtHpbR7bH4tKxeF8-pW_wU08uQ_MJxJqcK9MOjyVITsLzok7RJxqevv0SjPZkgqqxGwgGbcgsYJaG2u44RYnnyf5xPce9MKQcfHa23C-NyQIBmseO7RdFNAFZM8Lc-nEf0tjJc3ciBdr7t_s8dUS2vCb4ALWj8Dhrs9UyO3bA1yMQt4xACfQzGbDMV_4R8nbgOL9KkywcmJD-JdcIiYIGk2GEhbhuL05CtJthZT4XWVE0wdA00YmDBdvuekzykDKalXU2C1ED3winvL6VGg
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAsYTOhgsDkokcFw97Sy9bR8Fi/PXTx+WwvSre0bHZwuyFelQmPriy
UVd7Rx23B+gR+elBgfyP+Tbv8AXCI6dBkyfTiJY5n3vrS2H7rh+Hi7JQ3x7ab0p4
bF8Vg0Tc7uYr9s1P2LO1ZwoBwu33xEwBh6tQAF7SYPJ2DwkGixX8YwNwGdNeOeja
/pwuLmCwooPpNRWLaKb7sVJr7lyaGbOuMG+8ZLq0NGxc8wnhlWAiFaxbttej10i4
3rxYImQyUYGKUIkgg8c7Z98lVxOf7+4q3Zu4P6TC3gdoCwYiJdY6hCwTMeYz2ZzH
rVFXoC/2PoneNX9a5w2nrha3aWaeBrj9xQIDAQAB
-----END RSA PUBLIC KEY-----
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAzSvRbPvzl1Vl9q7zPwZu8sG6pSDGXHzpMy4qjnec/jQokz1tqjAQ
DVgtc1XWs6qAWN+cgn8zEPGFe2PNg3+DaO0+KAU/hsT4tsitGhk8Iu9f4TD8Lqf0
k+PSJbBCZnTrnoJdhOnD+sxN0L7yKSBqrigZ696UuQMIz6gBB++l20jSfrEndd/u
6qHy94dZIZD8EzJiVScDVPiAIaE0EKsoSUKj6dxa4cbFesPp4gZj2CQq8bKbFEl7
8TWqyrvbGp1CxQabmPphQG5mZONBbx2WAUPtwaq/wAkt0KOxeUxndI3FDTk8HyOT
fIvxPNsQ+eAEB2qOOTlxsllhmwxZ0BwbLwIDAQAB
-----END RSA PUBLIC KEY-----
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEApv889ZfY92X5HgLU3BbC/TD79dQxMyUQsY0huNdL1uxaJADvjEQp
YZSoxHxu2ZA9CM3tbEM1fdPqAKktpg1JZb7rdpan2kXUsiJbketjRyRvvwbs76qU
o7TPt7AeJ3sGUShVtEetz7nVwjfN+adejobPEpAp4q/MG514zaLHO/+zfHudXQfM
bbsesVCwTP6R+S+VRBG0EWmFTnfiRpaps/9FnP+ThqHJmATWtEtQ7wt21KhalE0o
SQZTvL++drIyBeAE/SzDxw/cNfMuFm40OGBjYAncUkSMcZTzZ7BPi4Su1XKE/cgK
qguPVoZbGpldycK+pZozH2i4QSL8qm+8ZQIDAQAB
-----END RSA PUBLIC KEY-----

Note: The example token has expired and can't be used for authorization.

Type

Decoded (Example)

Description

Header

{ "alg": "RS256", "typ": "JWT" }

That does only specify the type of token an algorithm used.

Payload

{ "nbf": 1651760242, "exp": 1651763842, "iss": "dev-api.facilioo.de", "aud": "dev-app.facilioode", "sub": { "accountId": 2, "companyId": 2 } }

The attribute nbf does specify the time that the token can be used the earliest. Therefore, the token can't be used before. In this example, that's on 2022-05-05T16:17:22+0200.

The attribute exp does specify the time the token will expire. Expired tokens can't be used for authentication.

The iss attribute specifies the issuer of the token, which will be the facilioo API.

The aud attribute does specify the intended audience of the token and therefore the system (domain) which can use the token.

The sub attribute does contain the information about the user, such as the accountId and the companyId.

For more information about claims, please refer to RFC 7519 .

Signature

<omitted>

<omitted>

Refresh

When an access token reaches its expiration, any subsequent API call will result in a status code 401 Unauthorized error. To resolve this, the client should initiate a call to the refresh token endpoint. It is essential for the client to persistently store the refresh token.

By utilizing the refresh token in this scenario, the client can obtain both a new access token and a new refresh token. The newly received refresh token should be saved and used for all future refresh requests.

Request

AttributeTypeDescription
refreshTokenstringOne-time usable refresh token from the last login or refresh request.

Response

AttributeTypeDescription
accessTokenstringThe access token, which can be used to make new requests.
refreshTokenobjectThe refresh token to generate a new set.

Debugging

Use jwt.io to have a look at the tokens content.

Customer App Password Reset Flow

The password reset flow allows users to recover their account in case they forget their password. It consists of three main steps: sending a recovery email, changing the password using a recovery code, and unblocking the recovery code if necessary.

1. Initiate Password Recovery

Endpoint: POST /api/auth/recover-password
Description: Sends a password recovery message to the user’s email. This operation is rate-limited using the DefaultRateLimitAuth policy.

Behavior:

  • The user provides their registered email address.
  • The system sends an email with a recovery code or a link containing the recovery code.
  • Rate limiting prevents abuse of this endpoint.

Note: This endpoint is currently marked as obsolete and will be removed once an external identity provider is implemented.

Example Request DTO:

{
  "email": "[email protected]"
}

Response DTO: PasswordRecoveryResponseDto

2. Change Password Using Recovery Code

Endpoint: PUT /api/auth/change-password-with-recovery-code
Description: Changes the user’s password using a recovery code received via email.

Behavior:

  • The user enters the recovery code received in their email, along with the new password.
  • The system validates the recovery code and updates the user’s password.
  • If the user enters the wrong recovery code 5 times, the account will be temporarily blocked for 24 hours.

Example Request DTO:

{
  "email": "[email protected]",
  "password": "newSecurePassword",
  "recoveryCode": "123456"
}

Response DTO: PasswordChangeRecoveryCodeResponseDto

Note: This endpoint is also marked as obsolete and will be removed once an identity provider is implemented.

3. Unblock Recovery Code

Endpoint: POST /api/account/unblock-recovery-code
Description: Unblocks a user’s recovery code if the account has been temporarily blocked due to multiple failed attempts.

Behavior:

  • Requires authentication with either an Admin or PropertyManagementCompany role.
  • The request must include the account’s email address.
  • The owner of the account (typically a PropertyManager) can unblock the recovery code.

Example Request DTO:

{
  "email": "[email protected]"
}

Response DTO: UnblockRecoveryCodeResponseDto

Note: This endpoint is marked as obsolete and will be removed once an identity provider is implemented.