Authentication

Recruso API uses Bearer authentication with short-lived access tokens and refresh tokens.
All protected endpoints require a valid Authorization header with a short-lived access token.

Authentication Flow

1. Login
   Use the /identity/login endpoint to authenticate with user credentials.
   The response will return:

   • An access token (valid for 15 minutes)
   • A refresh token (long-lived; must be stored securely)

2. Accessing Protected Endpoints
   Include the access token in the request header for all secured endpoints:

   Authorization: Bearer {access_token}
   
   

3. Refreshing Tokens
   When the access token expires, use the /identity/refresh endpoint to request a new token pair. You must provide:

   • The expired access token
   • The valid refresh token

The response will return a new access token and refresh token pair.

Endpoints

• POST /identity/login : Authenticates the user and returns an access token + refresh token.
• POST /identity/refresh: Requests a new token pair using the expired access token and the refresh token.

For full request/response schemas and examples, see Interactive docs

Security Best Practices

• Always use HTTPS to protect tokens in transit.
• Store refresh tokens securely (e.g., in an encrypted database or secure storage).
• Implement token expiration and rotation to minimize risk.

Summary

• Login → Get accessToken + refreshToken
• Use accessToken → Add to Authorization: Bearer {token} header
• On expiry → Call /identity/refresh with the expired access token and refresh token to obtain new tokens

👉 Next, learn how to interact with the API in Requests and Responses.