Authentication
Most operations on the Vasco API require an authenticated user. Authentication is performed by sending a JWT in the Authorization header of every request.
- Pick the environment you want to target — see API endpoints.
- Have a user account. Users can register themselves through the public
CreateUsermutation, or be created by an admin (see the User Management recipe).
Obtaining a token
Send a POST request to /auth/login with the user's credentials:
curl -X POST https://api.<client>.vasco.fund/auth/login \
-H "Content-Type: application/json" \
-d '{
"username": "user@example.com",
"password": "<password>"
}'
The response body contains the JWT:
{
"token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpXXXXXX.YYYYYY"
}
Using the token
Pass the token as a Bearer credential on every subsequent request to the authenticated GraphQL endpoint:
POST /graphql/ HTTP/1.1
Host: api.<client>.vasco.fund
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpXXXXXX.YYYYYY
Content-Type: application/json
{ "query": "query { GetCurrentUser { id email } }" }
JWTs have a limited lifetime. When a request is rejected because the token is missing, malformed, or expired, the server returns an authentication error — call /auth/login again to obtain a fresh token.
Forgotten password
A user who has lost their password can trigger the standard reset flow without being authenticated:
RequestPasswordReset— sends a reset email to the user.ResetPassword— consumes the token from the email and sets a new password.
Operations that do not require a token
Sign-up and password-reset operations are exposed on the public GraphQL endpoint and can be called anonymously. Browse the Public API section of the API Reference for the full list.
Related
- API endpoints — where to send requests
- User Management recipe — create and manage users from the authenticated API
CreateUser— public self-registration