Authentication
The DokStamp API uses JWT Bearer tokens issued by Laravel Passport. Every request to a protected endpoint must include a valid token in theAuthorization header.
Obtain a token
Send your credentials toPOST /auth/login:
| Field | Type | Description |
|---|---|---|
access_token | string | JWT token. Use this in the Authorization header. |
refresh_token | string | Use this to obtain a new token pair when the current one expires. |
token_type | string | Always "Bearer". |
expires_in | integer | Validity in seconds (31 536 000 = 1 year). |
Use the token
Include the token in every subsequent request:The
X-Tenant header is required on all resource endpoints. See Multi-tenancy for details.Refresh a token
Tokens are valid for 1 year. Before expiry — or if a token is revoked — exchange your refresh token for a new pair:/auth/login.
Logout
Revoke the current access token (server-side blacklist):Public endpoints
A small number of endpoints do not require authentication:| Endpoint | Purpose |
|---|---|
POST /auth/login | Obtain tokens |
POST /auth/refresh | Refresh tokens |
GET /files/{file}/download | Download a signed document by UUID |
Security recommendations
- Store tokens in environment variables or secrets managers — never hard-code them.
- Rotate tokens if a compromise is suspected by calling
POST /auth/logoutand re-authenticating. - Each API user should have their own credentials; avoid sharing tokens between systems.