Authentication
Authentication
The IPTO API uses a passwordless authentication system with magic links. This guide will walk you through the authentication process.
Request Magic Link
To start the authentication process, you need to request a magic link by providing your email address.
curl -X POST https://api.ipto.ai/auth/login \
-H "Content-Type: application/json" \
-d '{
"email": "[email protected]"
}'Response
{
"message": "Magic link sent successfully"
}The magic link will be sent to your email address and will be valid for 10 minutes.
Verify Magic Link
Once you receive the magic link in your email, click it or use the token in the URL to verify your authentication.
curl -X GET "https://api.ipto.ai/auth/verify?token=YOUR_MAGIC_LINK_TOKEN"Response
{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"token_type": "bearer"
}Using the Access Token
Include the access token in the Authorization header for all authenticated requests:
curl -X GET https://api.ipto.ai/assets \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN"Refresh Token
To refresh your access token before it expires:
curl -X POST https://api.ipto.ai/auth/refresh \
-H "Authorization: Bearer YOUR_CURRENT_ACCESS_TOKEN"Response
{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"token_type": "bearer"
}Security Best Practices
- Always use HTTPS for API requests
- Store access tokens securely
- Never share your access tokens
- Refresh tokens before they expire
- Implement proper error handling for authentication failures
Error Responses
Invalid Magic Link
{
"detail": "Invalid or expired magic link token"
}Invalid Access Token
{
"detail": "Invalid authentication credentials"
}Rate Limiting
The authentication endpoints have the following rate limits:
- Magic link requests: 3 per hour per email
- Token verification: 5 attempts per magic link
- Token refresh: 10 times per hour per token