8bit-ai

Authentication

Learn how to authenticate users with the 8bit-ai API using secure, token-based authentication. This guide covers signup, login, email verification, password management, and session handling.

app.8bit-ai.com
API Reference

Authentication Flow

8bit-ai uses JWT (JSON Web Tokens) for authentication. All API requests must include a valid access token in the Authorization header. Tokens expire after 15 minutes and can be refreshed using a refresh token.

Authentication Overview

The authentication system provides secure user access to the 8bit-ai platform. It includes:

  • Token-based authentication using JWT with access and refresh tokens
  • Email verification for new account security
  • Password reset flow with secure email-based recovery
  • Session management with automatic token refresh
  • Secure password hashing using industry-standard bcrypt

User Signup

Create a new user account with email and password. Upon successful registration, a verification email is sent to confirm the user's email address.

Endpoint

Request Body

Response

Code Example

Password Requirements

Passwords must be at least 8 characters long and include at least one uppercase letter, one lowercase letter, one number, and one special character.

User Login

Authenticate a user and receive access and refresh tokens. The access token is used for API requests, while the refresh token is used to obtain new access tokens.

Endpoint

Request Body

Response

Code Example

Email Verification Required

Users must verify their email address before they can log in. If the email is not verified, the login endpoint will return a 403 error with instructions to verify the email.

Email Verification

Verify a user's email address using the verification token sent via email during signup.

Verify Email Endpoint

Request Body

Response

Resend Verification Email

If the verification email was not received or has expired, request a new one.

Code Example

Verification Token Expiry

Verification tokens expire after 24 hours. If the token has expired, users can request a new verification email using the resend endpoint.

Password Reset

Allow users to securely reset their password through an email-based recovery flow.

Step 1: Request Password Reset

Initiate the password reset process by sending a reset email to the user.

Step 2: Reset Password

Use the token from the reset email to set a new password.

Code Example

Security Note

Password reset tokens expire after 1 hour. For security reasons, the forgot-password endpoint always returns success, even if the email doesn't exist in the system, to prevent email enumeration.

Token Refresh

Access tokens expire after 15 minutes. Use the refresh token to obtain a new access token without requiring the user to log in again.

Endpoint

Request Body

Response

Code Example

Token Lifecycle

Access tokens expire after 15 minutes, while refresh tokens are valid for 30 days. Implement automatic token refresh in your client to provide a seamless user experience.

Session Management

Manage user sessions with logout functionality and session validation.

Logout

Invalidate the current refresh token and end the user session.

Get Current User

Retrieve information about the currently authenticated user.

Code Example

Multiple Device Sessions

Users can be logged in on multiple devices simultaneously. Each device will have its own refresh token. Calling logout only invalidates the specific refresh token provided.

Authentication Headers

All authenticated API requests must include the access token in the Authorization header.

Example Authenticated Request

Error Responses

Authentication endpoints return standard error responses with appropriate HTTP status codes.

400 Bad Request

Invalid request body or missing required fields.

401 Unauthorized

Invalid credentials or expired/invalid token.

403 Forbidden

Email not verified or account suspended.

409 Conflict

Email already registered.

429 Too Many Requests

Rate limit exceeded.

Security Best Practices

Store Tokens Securely

Use httpOnly cookies or secure storage mechanisms. Avoid storing tokens in localStorage for production applications as they are vulnerable to XSS attacks.

Implement Token Rotation

Always use the new refresh token returned from the refresh endpoint. The old refresh token is invalidated after each refresh.

Handle Token Expiration

Implement automatic token refresh logic to handle expired access tokens gracefully without disrupting the user experience.

Use HTTPS Only

Always use HTTPS for all API requests to prevent token interception. The API will reject non-HTTPS requests in production.

Validate Email Domains

For enterprise accounts, consider implementing email domain validation to ensure only authorized email addresses can create accounts.

Need Help?

If you have questions about authentication or need assistance implementing it in your application, check out our additional resources.

API ReferenceQuick Start Guide