API Authentication
IOTMER supports two authentication methods for the REST API.
JWT Bearer Token
Obtain a token via login:
POST /auth/login
Content-Type: application/json
{
"email": "you@example.com",
"password": "your-password"
}
Response:
{
"access_token": "eyJhbGci...",
"refresh_token": "eyJhbGci...",
"expires_in": 3600
}
Use the access token in subsequent requests:
Authorization: Bearer eyJhbGci...
Refresh a token
POST /auth/refresh
Content-Type: application/json
{ "refresh_token": "eyJhbGci..." }
API Key
For machine-to-machine use (backend services, CI pipelines), use a workspace API key:
X-API-Key: iotmer_ak_xxxxxxxxxxxxxxxxxxxxxxxx
API keys are workspace-scoped. See API Keys for how to create them.
Choosing between JWT and API key
| JWT | API Key | |
|---|---|---|
| Use case | User-facing apps, short sessions | Backend services, automation |
| Expiry | Short-lived (refresh required) | Does not expire (revoke manually) |
| Scope | User's permissions in workspace | Workspace-scoped |
Rate limits
See Rate Limits.