Skip to main content
POST
/
api
/
Auth
curl --request POST \
  --url https://your-api-host/api/Auth \
  --header 'Content-Type: application/json' \
  --data '{
    "UserName": "jdoe",
    "Password": "s3cr3t",
    "CaptchaToken": "0.ABCdef123..."
  }'

{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJqZG9lIiwibmFtZSI6Impkb2UiLCJleHAiOjE3NDMwMDAwMDB9.SIGNATURE"
}
Exchanges valid credentials and a Cloudflare Turnstile token for a signed JWT. The token is valid for 30 minutes and must be included as a Bearer token on all subsequent requests to protected endpoints.
Every login request must include a fresh captchaToken from your Cloudflare Turnstile widget. Requests with a missing or invalid captcha token are rejected with 401 Unauthorized.

Request body

UserName
string
The username to authenticate. Corresponds to the UserName field on the ASP.NET Identity user record.
Password
string
The user’s password.
CaptchaToken
string
required
Cloudflare Turnstile token obtained from the frontend widget. Validated server-side before credentials are checked.

Responses

token
string
A signed JWT. Include this value in the Authorization: Bearer <token> header on all protected requests. Expires 30 minutes after issue.

Examples

curl --request POST \
  --url https://your-api-host/api/Auth \
  --header 'Content-Type: application/json' \
  --data '{
    "UserName": "jdoe",
    "Password": "s3cr3t",
    "CaptchaToken": "0.ABCdef123..."
  }'

{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJqZG9lIiwibmFtZSI6Impkb2UiLCJleHAiOjE3NDMwMDAwMDB9.SIGNATURE"
}

Error conditions

The endpoint returns 401 Unauthorized — with no error body — in all of the following cases:
CauseDetails
User not foundNo user record exists for the given UserName.
User inactiveThe user’s Activo flag is false.
Wrong passwordPassword does not match the stored credential.
Captcha failureCaptchaToken is missing, expired, or invalid.
All failure cases deliberately return the same 401 status with no distinguishing message to avoid leaking information about which users exist in the system.

Token usage

After a successful login, attach the token to every request to a protected endpoint: 
curl --request GET \
  --url https://your-api-host/api/Users \
  --header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...'
Tokens expire after 30 minutes. Build a 401 response interceptor in your HTTP client to detect expiry and trigger a re-login automatically rather than handling it in each request handler individually.

Build docs developers (and LLMs) love

Get started for freeTalk to us