title: Authentication description: Nanami API authentication model: login, refresh, cookies/tokens, and scoped access.
Nanami API uses bearer access tokens with refresh workflows.
In examples below, replace https://api.example.nanami.dev with your public Nanami API base URL.
Login flow
- Call
POST /api/v1/auth/loginwith email/password. - Receive access and refresh tokens.
- Send access token as
Authorization: Bearer <token>.
bash
Nanami docs
curl -X POST https://api.example.nanami.dev/api/v1/auth/login \
-H 'Content-Type: application/json' \
-d '{"email":"[email protected]","password":"your-password"}'
Refresh flow
Call POST /api/v1/auth/refresh before access token expiry.
bash
Nanami docs
curl -X POST https://api.example.nanami.dev/api/v1/auth/refresh \
-H 'Content-Type: application/json' \
-d '{"refreshToken":"<refresh-token>"}'
Authenticated request example
bash
Nanami docs
curl https://api.example.nanami.dev/api/v1/networks \
-H 'Authorization: Bearer <access-token>'
Additional auth workflows
- OAuth provider start/callback endpoints (
/api/v1/auth/oauth/:provider/*) - Invite acceptance (
/api/v1/auth/invites/accept) - Password reset request/confirm
- MFA enrollment and verification endpoints
Security notes
- Treat refresh tokens as long-lived credentials.
- Rotate compromised credentials immediately.
- Use TLS for all public API traffic.
Note
Some WebUI deployments keep auth tokens in httpOnly cookies and proxy requests through BFF routes.