Skip to main content

API Authentication

Secure your API requests with JWT tokens.

Overview

LusterCMS uses JWT (JSON Web Tokens) for authentication:

  1. Login → Receive access + refresh tokens
  2. Use access token → Include in Authorization header
  3. Refresh → Get new access token when expired

Obtaining Tokens

Login

mutation Login {
  login(email: "user@example.com", password: "secret") {
    accessToken
    refreshToken
    user {
      id
      email
      role
    }
  }
}

Or via REST:

POST /api/auth/login
Content-Type: application/json

{"email": "user@example.com", "password": "secret"}

Using Tokens

Include in all authenticated requests:

Authorization: Bearer <access_token>

Token Refresh

Access tokens expire after 15 minutes. Refresh before expiration:

mutation RefreshToken {
  refreshToken(token: "<refresh_token>") {
    accessToken
    refreshToken
  }
}

Token Structure

Access token payload:

{
  "sub": "user-uuid",
  "email": "user@example.com",
  "role": "admin",
  "permissions": ["content.read", "content.write"],
  "exp": 1704067200,
  "iat": 1704066300
}

API Keys (Coming Soon)

For server-to-server communication:

X-API-Key: <your-api-key>

Security Best Practices

  1. Store tokens securely — Never in localStorage for sensitive apps
  2. Use HTTPS — Always encrypt in transit
  3. Short expiration — Access tokens expire quickly
  4. Rotate secrets — Change JWT secret periodically