Flow API

Authentication

Flow uses access tokens and refresh tokens to authenticate incoming requests. Any request which needs to be sent as a logged in user must have an access token in its HTTP headers. These short lived tokens are obtained from specific endpoints if a long-lived refresh token is sent as a cookie.

Refresh Tokens

A refresh token is a JWT, stored in a HTTP-only cookie on the client. It lasts for one year, and any client with this cookie can obtain an access token at any time.

Refresh tokens are obtained from /login endpoint.

Obtaining refresh token using cURL

curl -X POST https://api.flow.bio/login \
     -H "Content-Type: application/json" \
     -d '{"username": "yourUsername", "password": "yourPassword"}'

Assuming the credentials are correct, the HTTP response will set a HTTP-only cookie on the sending client.

Access tokens

An access token is a JWT string, which lasts for thirty minutes. It can be obtained from the /token endpoint:

Obtaining an access token using a refresh token

curl -X GET "https://api.flow.bio/token" \
     -b "flow_refresh_token=YOUR_REFRESH_TOKEN_VALUE"

The access token returned should be sent in the header of any request that is to be authenticated:

Using the access token in a request

curl -X GET "https://api.flow.bio/me" \
     -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

Note that the /login endpoint will also return an access token, so unless you are refreshing it later, you may be able to skip this second request.

Was this page helpful?