Skip to content

API: Auth

Permission: none (public endpoint).

Request:

{
"email": "admin@twistcue.local",
"password": "twistcue-admin-dev"
}

Response 200:

{
"access_token": "eyJhbGciOi...",
"admin": {
"id": "0193...",
"email": "admin@twistcue.local",
"name": "Admin",
"role": "superadmin",
"permissions": ["*"]
}
}

Sets an HttpOnly cookie tc_admin_token on the response.

Response 401:

{ "statusCode": 401, "error": "invalid_credentials" }

Response 403:

{ "statusCode": 403, "error": "admin_disabled" }
  • JWT exp: 12 hours.
  • Cookie Max-Age matches.
  • token_version claim: if the admin’s DB token_version is bumped (e.g. after a force-logout), the token is rejected on the next request.
Terminal window
# Header style
curl -H "Authorization: Bearer $TOKEN" https://api.twistcue.local/v1/admin/users
# Cookie style (browser default)
curl --cookie "tc_admin_token=$TOKEN" https://api.twistcue.local/v1/admin/users