Skip to main content
WebCorporativa API uses stateless JWT Bearer authentication. You obtain a token by logging in, then attach it to every subsequent request. There are no refresh tokens — when a token expires, you re-authenticate.

How it works

1

Request a token

Send your credentials and a Cloudflare Turnstile captcha token to POST /api/Auth. The API validates both before issuing a JWT.
2

Store the token

The response contains a single token field. Store it in memory or secure storage on your client. Do not persist it in a cookie without appropriate HttpOnly and Secure flags.
3

Send the token with every request

Include the token in the Authorization header on all requests to protected endpoints:
Authorization: Bearer <token>
4

Re-authenticate when the token expires

Tokens are valid for 30 minutes. After expiry the API returns 401 Unauthorized. Repeat step 1 to obtain a new token.

Login request

Send a POST request to /api/Auth with a JSON body containing your username, password, and a valid Cloudflare Turnstile token. 
curl --request POST \
  --url https://your-api-host/api/Auth \
  --header 'Content-Type: application/json' \
  --data '{
    "UserName": "jdoe",
    "Password": "s3cr3t",
    "CaptchaToken": "0.ABCdef..."
  }'

Response

A successful login returns 200 OK with the JWT in the response body: 
{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c3JfMTIzIiwibmFtZSI6Impkb2UiLCJwZXJmaWxJZCI6IjIiLCJlc0FkbWluIjoiZmFsc2UiLCJleHAiOjE3NDMwMDAwMDB9.SIGNATURE"
}
The token value is a standard JWT. You can inspect its claims at jwt.io or decode it programmatically. See JWT structure for the full list of embedded claims.

Cloudflare Turnstile

Every login request must include a turnstileToken obtained from the Cloudflare Turnstile widget rendered on your login page. The API validates this token server-side before processing the credentials.
Requests that omit CaptchaToken or include an invalid token are rejected. Ensure your login UI always obtains a fresh Turnstile token before submitting credentials.
To integrate Turnstile in your frontend, follow the Cloudflare Turnstile documentation.

Token expiration

Tokens expire 30 minutes after they are issued. There is no refresh token mechanism.

Token lifetime

30 minutes from the time of issue. The expiry is embedded in the token as the standard exp claim.

No refresh tokens

When a token expires, re-authenticate via POST /api/Auth to get a new one.

Handling 401 Unauthorized

When the API returns 401 Unauthorized, the token is either missing, malformed, or expired. The correct response is to re-authenticate. 
HTTP/1.1 401 Unauthorized
Recommended client-side logic:
  1. Detect the 401 response.
  2. Redirect the user to your login screen (or trigger a programmatic re-login if your client stores credentials securely).
  3. On successful re-authentication, retry the original request with the new token.
Build a response interceptor in your HTTP client (e.g., Axios interceptors, Fetch middleware) to handle 401 responses centrally rather than in every individual request handler.

JWT structure

What claims are inside the token and how to decode them.

Permissions

How module-level permissions are embedded in and enforced from the JWT.

Build docs developers (and LLMs) love

Get started for freeTalk to us