Get Access Token

Authenticates a user's email and password and returns a token pair for use with all other Convirza API endpoints.

How authentication works
Convirza uses an encrypted, session-based token system (not standard JWTs):

Credentials are validated against the database.

A session is created in Redis containing the user's profile and permissions.

An AES-256-CBC encrypted access_token is returned. This token is an opaque identifier — it cannot be decoded client-side (it is not a JWT).

Include the token in every subsequent API request: Authorization: Bearer <access_token>.

Token lifetimes

access_token — valid for 7 days (604 800 seconds). Auto-renewed on each authenticated API request.

refresh_token — valid for 6 months (15 552 000 seconds). Used to obtain a new token pair after the access token expires.

frontend_token
A 32-character hash derived from the session, used by the Convirza web app for client-side session tracking. Third-party integrations can ignore this field.

Session-based benefits

Tokens can be revoked instantly server-side (no wait for expiry).

Session data (roles, org access) is always authoritative — no stale claims in the token.

Rate limiting
This endpoint is limited to 10 requests per minute per IP to protect against brute-force attacks.

curl --location --request POST 'https://platform-oauth.convirza.com/oauth/token' \ --header 'Content-Type: application/json' \ --data-raw '{ "email": "user@example.com", "password": "SecurePassword123!" }'

{ "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0b2tlbklkIjoiYWJjZDEyMzQtZWY1Ni03ODkwLWFiY2QtMTIzNDU2Nzg5MGFiIiwiaWF0IjoxNzA5NTU1NTU1LCJleHAiOjE3MDk1OTg3NTV9.xyz123", "frontend_token": "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6", "refresh_token": "xyz789refresh012345678901234567890", "token_type": "Bearer", "expires_in": "2026-04-06T12:34:56.789Z", "refresh_expires_in": "2026-10-06T12:34:56.789Z", "user": { "user_id": 12345, "email": "user@example.com", "role_id": 2, "org_unit_id": 1001 } }

Request

Responses