Authentication & sessions
Limen issues two kinds of credentials: user sessions (for people signing in)
and API keys (for backend services). Both travel in the Authorization
header as a bearer token.
User sessions
A successful login or signup returns a pair of tokens:
| Token | Lifetime | Purpose |
|---|---|---|
accessToken | 15 minutes | Sent on every request. A signed JWT. |
refreshToken | 30 days | Exchanged for a new pair when the access token expires. |
Send the access token on each call:
curl https://api.limen.eu/v1/acme/me \
-H "Authorization: Bearer <accessToken>"
The access token is a JWT signed by Limen (HS256). It is short-lived on purpose: if it leaks, it stops working within 15 minutes.
Refreshing a session
When the access token expires, exchange the refresh token for a fresh pair:
curl -X POST https://api.limen.eu/v1/acme/auth/refresh \
-H "content-type: application/json" \
-d '{ "refreshToken": "<refreshToken>" }'
Each refresh rotates the token: the old refresh token is invalidated and a new one is returned. Store the new one.
Refresh tokens are tracked as a family. If an old, already-rotated refresh token is presented again — the signature of a stolen token being replayed — Limen revokes the entire family, ending every session descended from it. Always replace the refresh token you hold after each refresh.
Ending a session
# End the current session
curl -X POST https://api.limen.eu/v1/acme/auth/logout \
-H "content-type: application/json" \
-d '{ "refreshToken": "<refreshToken>" }'
# End every session for the user
curl -X POST https://api.limen.eu/v1/acme/auth/logout-all \
-H "Authorization: Bearer <accessToken>"
API keys
Backend services authenticate with an API key instead of a user session. Keys are scoped to a tenant and prefixed by environment:
ak_live_…— productionak_test_…— non-production
Use a key exactly like an access token:
curl https://api.limen.eu/v1/acme/users \
-H "Authorization: Bearer ak_live_…"
Keys don't expire on a timer — revoke them from the console when they're no longer needed. See API keys for issuing and revoking.
An API key acts for the whole tenant. Never ship one in a browser, mobile app, or public repository. Use user sessions for end-user auth; use keys only from servers you control.