Skip to main content
AgentCanvas

Authentication

Secure your API access with authentication tokens. Log in with your email and password to get a token, or register for a new account. Tokens last 24 hours, and you can refresh them when they're about to expire. Enterprise customers can use their organization's single sign-on system instead.

JWT Tokens

AgentCanvas uses JSON Web Tokens (JWT) for authentication:

  • Access tokens: Short-lived tokens (24 hours) for API requests
  • Refresh tokens: Long-lived tokens (30 days) for getting new access tokens
  • Token format: Bearer tokens in the Authorization header
  • Token security: Tokens are signed with HMAC-SHA256 and encrypted

When you log in, you receive both an access token and a refresh token. Include the access token in the Authorization header of each API request. When the access token expires, use the refresh token to get a new access token.

Authorization: Bearer {your_access_token}

Login and Registration

To get an authentication token:

  1. Register: POST /auth/register with email, password, and full_name
  2. Verify email: Click the verification link sent to your email
  3. Login: POST /auth/login with email and password
  4. Get tokens: Receive access_token and refresh_token in the response
  5. Use token: Include the access_token in the Authorization header of API requests

Passwords must be at least 6 characters long and are hashed using bcrypt. The system enforces rate limiting on login attempts to prevent brute force attacks.

Token Refresh

Access tokens expire after 24 hours. To continue using the API without logging in again, refresh your token:

  1. Check expiration: Access tokens include an expiration timestamp (exp)
  2. Refresh before expiry: POST /auth/refresh with your refresh_token
  3. Get new tokens: Receive a new access_token and refresh_token
  4. Update headers: Use the new access_token in subsequent requests

Refresh tokens expire after 30 days. If your refresh token expires, you'll need to log in again to get new tokens.

Multi-Factor Authentication (MFA)

Enterprise accounts can enable multi-factor authentication for additional security:

  • Enable MFA: POST /auth/mfa/enable to set up two-factor authentication
  • Authenticator apps: Use apps like Google Authenticator or Authy
  • MFA login: POST /auth/mfa/login with email, password, and MFA code
  • Backup codes: Generate backup codes in case you lose access to your authenticator

MFA adds an extra layer of security by requiring both your password and a time-based one-time password (TOTP) from your authenticator app.

Single Sign-On (SSO)

Enterprise customers can use their organization's single sign-on system:

  • OIDC/SAML: Support for OpenID Connect (OIDC) and SAML 2.0
  • Enterprise only: SSO is available for Enterprise Organization accounts only
  • Configuration: Set up SSO via organization settings
  • Automatic login: Users authenticate via their organization's identity provider

SSO allows users to log in using their organization's credentials, eliminating the need for separate passwords for the platform.

Security Best Practices

  • Never expose your access token in client-side code or public repositories
  • Refresh tokens before they expire to avoid interruption
  • Use HTTPS for all API requests to encrypt token transmission
  • Enable MFA for additional security, especially for enterprise accounts
  • Log out and invalidate tokens when they're no longer needed