Authentication
NodeLoom uses JWT-based authentication delivered via httpOnly cookies. After a successful login, the server sets a secure cookie that is automatically included in all subsequent requests.
Cookie-based sessions
Authorization header is required. The JWT is stored in a secure, httpOnly cookie and sent automatically by the browser. For non-browser clients, capture the Set-Cookie header and include it in subsequent requests.Login
/api/auth/loginAuthenticate and receive a JWT cookie
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
email | string | Yes | Registered email address |
password | string | Yes | Account password |
{
"email": "jane@example.com",
"password": "securepassword123"
}Response
On success, the response includes the user object and a Set-Cookie header containing the JWT token in an httpOnly cookie.
{
"id": "uuid",
"firstName": "Jane",
"lastName": "Doe",
"email": "jane@example.com",
"teams": [
{
"teamId": "uuid",
"teamName": "My Team",
"role": "ADMIN"
}
]
}cURL example
curl -c cookies.txt -X POST https://your-nodeloom-instance.com/api/auth/login -H "Content-Type: application/json" -d '{"email":"jane@example.com","password":"securepassword123"}'Refresh Token
/api/auth/refreshRefresh the JWT token before it expires
Call this endpoint to obtain a fresh JWT token. The existing cookie must still be valid (not expired). The server replaces the current cookie with a new one that has an extended expiry.
Response
{
"message": "Token refreshed successfully"
}Token expiry
401 status. The user must log in again.Logout
/api/auth/logoutClear the JWT cookie and end the session
Clears the httpOnly JWT cookie on the server side. After calling this endpoint, the user is no longer authenticated and must log in again.
Response
{
"message": "Logged out successfully"
}Error Codes
| Status | Meaning |
|---|---|
400 | Invalid request body or missing required fields |
401 | Invalid credentials or expired token |