Authentication & sessions

Limen issues two kinds of credentials: user sessions (for people signing in) and API keys (for backend services). Both travel in the Authorization header as a bearer token.

User sessions

A successful login or signup returns a pair of tokens:

TokenLifetimePurpose
accessToken15 minutesSent on every request. A signed JWT.
refreshToken30 daysExchanged for a new pair when the access token expires.

Send the access token on each call:

curl https://api.limen.eu/v1/acme/me \
  -H "Authorization: Bearer <accessToken>"

The access token is a JWT signed by Limen (HS256). It is short-lived on purpose: if it leaks, it stops working within 15 minutes.

Refreshing a session

When the access token expires, exchange the refresh token for a fresh pair:

curl -X POST https://api.limen.eu/v1/acme/auth/refresh \
  -H "content-type: application/json" \
  -d '{ "refreshToken": "<refreshToken>" }'

Each refresh rotates the token: the old refresh token is invalidated and a new one is returned. Store the new one.

Reuse detection

Refresh tokens are tracked as a family. If an old, already-rotated refresh token is presented again — the signature of a stolen token being replayed — Limen revokes the entire family, ending every session descended from it. Always replace the refresh token you hold after each refresh.

Ending a session

# End the current session
curl -X POST https://api.limen.eu/v1/acme/auth/logout \
  -H "content-type: application/json" \
  -d '{ "refreshToken": "<refreshToken>" }'

# End every session for the user
curl -X POST https://api.limen.eu/v1/acme/auth/logout-all \
  -H "Authorization: Bearer <accessToken>"

API keys

Backend services authenticate with an API key instead of a user session. Keys are scoped to a tenant and prefixed by environment:

  • ak_live_… — production
  • ak_test_… — non-production

Use a key exactly like an access token:

curl https://api.limen.eu/v1/acme/users \
  -H "Authorization: Bearer ak_live_…"

Keys don't expire on a timer — revoke them from the console when they're no longer needed. See API keys for issuing and revoking.

Keep keys server-side

An API key acts for the whole tenant. Never ship one in a browser, mobile app, or public repository. Use user sessions for end-user auth; use keys only from servers you control.