Skip to main content

Authentication

Most operations on the Vasco API require an authenticated user. Authentication is performed by sending a JWT in the Authorization header of every request.

Prerequisites

Obtaining a token

Send a POST request to /auth/login with the user's credentials:

curl -X POST https://api.<client>.vasco.fund/auth/login \
-H "Content-Type: application/json" \
-d '{
"username": "user@example.com",
"password": "<password>"
}'

The response body contains the JWT:

{
"token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpXXXXXX.YYYYYY"
}

Using the token

Pass the token as a Bearer credential on every subsequent request to the authenticated GraphQL endpoint:

POST /graphql/ HTTP/1.1
Host: api.<client>.vasco.fund
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpXXXXXX.YYYYYY
Content-Type: application/json

{ "query": "query { GetCurrentUser { id email } }" }

JWTs have a limited lifetime. When a request is rejected because the token is missing, malformed, or expired, the server returns an authentication error — call /auth/login again to obtain a fresh token.

Forgotten password

A user who has lost their password can trigger the standard reset flow without being authenticated:

  1. RequestPasswordReset — sends a reset email to the user.
  2. ResetPassword — consumes the token from the email and sets a new password.

Operations that do not require a token

Sign-up and password-reset operations are exposed on the public GraphQL endpoint and can be called anonymously. Browse the Public API section of the API Reference for the full list.