Authentication

Token-Based Authentication

Convirza uses encrypted Bearer token authentication with server-side session storage.

How It Works

Obtain Tokens:

Send your credentials to POST /oauth/token

Receive an encrypted access_token and refresh_token

Store both tokens securely in your application

Make API Requests:

Include the access token in every request: Authorization: Bearer <access_token>

The API validates your token and authorizes the request

If valid, your request proceeds; if invalid, you receive a 401 error

Token Characteristics:

Access Token: Valid for 7 days

Refresh Token: Valid for 6 months

Format: Encrypted opaque strings (use as-is, do not decode)

Revocation: Immediate via POST /oauth/revoke-token

Authorization Header Format

Authorization: Bearer <encrypted_access_token>

Token Lifecycle

Login → Access Token (7d) + Refresh Token (6mo)
  ↓
Use Access Token for API calls
  ↓
Access Token Expires → Use Refresh Token → New Token Pair
  ↓
Refresh Token Expires → Re-login Required

Token-Based Authentication#

How It Works#

Authorization Header Format#

Token Lifecycle#

Token-Based Authentication

How It Works

Authorization Header Format

Token Lifecycle