Skip to main content

User Authentication (JWT)

These endpoints provide per-user login and JWT session management for interactive applications: custom front-ends, customer portals, and embedded tools where individual users need to sign in and maintain a session. Base URL: https://api.vh3connect.io/api:lBQnyyZL
Login requires only email and password. The user’s tenant is resolved server-side. After login, every call uses Authorization: Bearer <token>, no API key is ever sent from the client.
Need to manage users from a back-end script or integration (no user session)? Use the Users endpoints on the main FSI API with company_id + api_key. Those endpoints are server-side only: the API key must never appear in client-side code.

POST /auth/login

Authenticate a user with email and password. Returns a JWT token valid for 24 hours. The user’s tenant is resolved server-side from their account, no API key is required from the client. Request body:
Response:
Error responses:

POST /auth/refresh

Refresh an expiring JWT token. Returns a new token with a fresh 24-hour expiry. Headers:
Response:

GET /auth/me

Get the current user profile from the JWT token. Includes the user’s company information. Headers:
Response:

POST /users/invite

Invite a new user by email to the authenticated user’s company. Returns an invitation token valid for 7 days. Requires admin or developer role. Headers: Request body:
Response:
Error responses:

GET /users/list

List all active users belonging to the authenticated user’s company. Supports pagination. Requires admin or developer role. Headers: Query parameters:
Response:

DELETE /users/

Soft-delete a user by setting their account to archived. The user will no longer be able to log in. Cannot delete your own account. Requires admin or developer role. Headers: Path parameters:
Response:
Error responses:

Roles reference