Authentication
Users must be authenticated before they can interact with most of the Bloom API endpoints (any endpoints requiring permissions). Authentication is done via a Bearer token (described below), or with an API key.
For more information, see headers.
Login
Login to your account to obtain an access token and refresh token. The access token is used to authenticate requests to the API, while the refresh token is used to obtain a new access token when the current one expires.
POST /auth/login
Example body
{
"email": "user@example.com",
"password": "password"
}
Fields
- emailrequired stringEmail address of the user.
- passwordrequired stringPassword of the user.
Response
| HTTP status | Title | Description | Schema |
|---|---|---|---|
| 204 | No Content | Login successful | |
| 400 | Bad Request | Invalid or missing field(s) | Error object |
| 401 | Unauthorized | Invalid email and/or password | Error object |
The Bloom API enforces a 2FA (two-factor authentication) policy for all users authenticating using the login endpoint.
Upon successful login, the API will return a 201 No Content response and an email will be sent to the user with a
one-time authentication code which is valid for 15 minutes.
This code must be submitted to the /auth/tfa endpoint to complete the login process and obtain access and refresh tokens.
Successful login attempts can only be completed once per 3-minute period.
If a user attempts to log in again within 3 minutes of a successful login,
they will receive a 429 Too Many Requests response and will not be sent a new one-time authentication code.
After 3 minutes, the user can attempt to log in again and will receive a new one-time authentication code.
TFA
The TFA (two-factor authentication) endpoint is used to complete the login process after a successful login attempt.
POST /auth/tfa
Example body
{
"email": "user@example.com",
"token": "TOKEN"
}
Fields
- emailrequired stringEmail address of the user.
- tokenrequired stringOne-time authentication code sent to the user's email address.
Response
| HTTP status | Title | Description | Schema |
|---|---|---|---|
| 201 | Created | Authentication successful | Authentication object |
| 400 | Bad Request | Invalid or missing field(s) | Error object |
| 401 | Unauthorized | Invalid email and/or token | Error object |
Authentication object
{
"data": {
"user": "019eb9a9-ea8e-71d1-944e-7r7d2di9f122",
"access": "ACCESS_TOKEN",
"refresh": "REFRESH_TOKEN",
"expires": 1783176140
}
}
Fields
- userrequired readonly stringUnique ID of the user.
- accessrequired readonly stringAccess token to be used in the
Authorizationheader for subsequent requests. - refreshrequired readonly stringRefresh token to be used to obtain a new access token.
- expiresrequired readonly integerUTC timestamp of when the access token expires.
Access tokens are valid for 15 minutes. Refresh tokens are valid for 7 days.
The refresh token can be submitted to the auth/refresh endpoint to obtain new access and refresh tokens without
having to log in again.
Refresh
The refresh endpoint is used to obtain new access and refresh tokens using a valid refresh token.
POST /auth/refresh
Example body
{
"refresh_token": "REFRESH_TOKEN"
}
Fields
- refresh_tokenrequired stringRefresh token obtained from the authentication object.
Response
| HTTP status | Title | Description | Schema |
|---|---|---|---|
| 201 | Created | Token refresh successful | Authentication object |
| 400 | Bad Request | Invalid or missing field(s) | Error object |
| 401 | Unauthorized | Invalid token | Error object |