Jan 5, 2025
Getting Started
Authentication
Follow the quick auth guide to initiate your journey with ease.
Authentication
Leora secures access using OAuth 2.0 with JWT-based access and refresh tokens, enabling both short‑lived tokens for API calls and long‑lived refresh tokens for seamless session renewal.
3.1 Auth Flows
1. Client Credentials Grant (machine-to-machine):
Ideal for server-side applications.
Client exchanges
client_id+client_secretfor an access token.
2. Authorization Code Grant (for interactive user flows):
Obtain authorization code via browser redirect.
Exchange code for access + refresh tokens.
3.2 Token Types & Lifetimes
Token | Format | Lifetime | Usage |
|---|---|---|---|
Access Token | JWT (RS256) | 15 minutes (default) | Bearer for all API calls: |
Refresh Token | Opaque String | 30 days (configurable) | Exchange for new access tokens via token endpoint |
3.3 Token Endpoint
Endpoint
Supported grant_type: client_credentials, authorization_code, refresh_token
Response (200):
3.4 Revocation & Introspection
Revocation: Invalidate tokens immediately.
Introspection: Validate token status.
Introspection Response
3.5 Error Responses
HTTP Code | Error | Description |
400 | invalid_request | Missing parameters or unsupported grant |
401 | invalid_client | Authentication failed |
403 | insufficient_scope | Token lacks required scope |
401 | invalid_token | Token malformed or expired |