Authentication
Authenticate with the GitScrum API using Bearer tokens. Login with email and password, handle MFA, refresh and revoke tokens.
All API requests require a Bearer token in the Authorization header. Tokens are issued via the login endpoint and expire after 1 year.
Authorization: Bearer {token}Login
POST /auth/login
Authenticates a user with email and password. Returns a Bearer token for subsequent API calls.
curl -X POST https://services.gitscrum.com/auth/login \
-H "Content-Type: application/json" \
-H "X-Client-Type: api" \
-d '{
"email": "jane@acme.co",
"password": "your-password"
}'Request body
| Parameter | Type | Required | Description |
|---|---|---|---|
email | string | Yes | Account email address |
password | string | Yes | Account password |
language | string | No | Preferred language: en, es, pt, fr |
token_invitation | string | No | Workspace invitation token for auto-join on login |
Headers
| Header | Required | Description |
|---|---|---|
Content-Type | Yes | application/json |
X-Client-Type | Recommended | Set to api for API integrations |
Response 200 OK
{
"data": {
"companies": [
{
"slug": "acme-corp",
"name": "Acme Corp",
"logo": "https://cdn.gitscrum.com/logo.png"
}
],
"user": {
"id": 1,
"uuid": "user-uuid-123",
"name": "Jane Smith",
"username": "janesmith",
"email": "jane@acme.co",
"avatar": "https://avatar.url/jane.jpg",
"headline": "Lead Developer",
"timezone_name": "Europe/Lisbon",
"language": "en"
},
"token_type": "Bearer",
"access_token": "eyJ0eXAiOiJKV1Q..."
}
}Error responses
| Status | Condition | Body |
|---|---|---|
404 | Wrong email or password | { "message": "Incorrect email or password." } |
404 | Account disabled | { "message": "This account is disabled." } |
403 | Workspace at capacity | { "message": "...", "errorcode": "WORKSPACEAT_CAPACITY" } |
403 | No workspace access | { "message": "...", "errorcode": "NOWORKSPACE_ACCESS" } |
MFA (Two-Factor Authentication)
If MFA is enabled on the account, the login endpoint returns a challenge instead of a token.
Step 1 — Login returns MFA challenge
{
"mfa_required": true,
"mfa_token": "random-64-character-string",
"message": "MFA verification required"
}The mfa_token is valid for 5 minutes.
Step 2 — Verify the MFA code
POST /auth/login/mfa-verify
curl -X POST https://services.gitscrum.com/auth/login/mfa-verify \
-H "Content-Type: application/json" \
-d '{
"mfa_token": "random-64-character-string",
"mfa_code": "123456"
}'| Parameter | Type | Required | Description |
|---|---|---|---|
mfa_token | string | Yes | Token from the MFA challenge response |
mfa_code | string | Yes | 6-digit TOTP code from your authenticator app, or a recovery code |
Returns the same 200 OK response as a standard login with access_token.
Shortcut — You can also passmfa_codedirectly in the initial/auth/loginrequest body to skip the two-step flow, if you already have the TOTP code available.
Verify authentication
POST /auth/me
Returns the authenticated user profile. Use this to validate a token.
curl -X POST https://services.gitscrum.com/auth/me \
-H "Authorization: Bearer {token}" \
-H "Content-Type: application/json"Response 200 OK
{
"data": {
"id": 1,
"uuid": "user-uuid-123",
"name": "Jane Smith",
"username": "janesmith",
"email": "jane@acme.co",
"avatar": "https://avatar.url/jane.jpg",
"headline": "Lead Developer",
"timezone_name": "Europe/Lisbon",
"language": "en"
}
}Refresh token
POST /auth/refresh
Revokes the current token and issues a new one. Use this for token rotation without requiring the user to log in again.
curl -X POST https://services.gitscrum.com/auth/refresh \
-H "Authorization: Bearer {token}" \
-H "Content-Type: application/json"Response 200 OK
{
"data": {
"token_type": "Bearer",
"access_token": "eyJ0eXAiOiJKV1Q..."
}
}After refresh, the previous token is immediately revoked. Update your stored token with the new access_token.Logout
POST /auth/logout
Revokes the current token. The token cannot be used after this call.
curl -X POST https://services.gitscrum.com/auth/logout \
-H "Authorization: Bearer {token}" \
-H "Content-Type: application/json"Response 200 OK
{
"message": "Successful logout"
}Error response
If the token is missing, invalid, or expired, the API returns 401 Unauthorized:
{
"error": "Unauthorized",
"message": "Invalid or expired token"
}Token reference
| Property | Value |
|---|---|
| Token type | Bearer (Laravel Passport Personal Access Token) |
| Lifetime | 1 year |
| Format | JWT |
| Passed via | Authorization: Bearer {token} header |
| Scope resolution | Automatic, based on your subscription plan |
| Revocation | On logout, refresh, or manual revocation |
Security best practices
- Never expose tokens in client-side code or public repositories
- Use environment variables to store tokens in your applications
- Rotate tokens periodically using the
/auth/refreshendpoint - Use HTTPS only — the API rejects plain HTTP requests
- Handle MFA — always check for
mfa_required: truein login responses