Login — Get JWT Token
Authenticates a user with credentials. Returns a pair of access and refresh tokens.
Login / Get Token
Authorizations
The
x-api-key header is required for authorization.Endpoint
POSThttps://dev.backend.colurs.co/token/Required Headers
Content-Type: application/jsonAccept: application/jsonx-api-key: [API_KEY]Request Body
| Field | Type | Required | Description |
|---|---|---|---|
| username | string | User email or username | |
| password | string | User password | |
| platform | string | API, APP, PANEL, IOS, ANDROID (default: API) | |
| code | string | Verification code (required for PANEL, IOS, ANDROID) | |
| otp | string | 6-digit 2FA code (if user has MFA enabled) |
cURL Example
curl -X POST https://dev.backend.colurs.co/token/ \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-H "x-api-key: [API_KEY]" \
-d '{
"username": "user@example.com",
"password": "Password123!",
"platform": "API"
}'Response
response.json
{
"access": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"refresh":
"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."}Possible Errors
| Code | Error | Description |
|---|---|---|
| 400 | DataInvalidException | Invalid credentials or unsupported platform |
| 400 | CodeMustBeRequiredException | Code required for PANEL/IOS/ANDROID |
| 400 | CodeExpiredException | Verification code expired |
| 400 | OTPRequiredException | 2FA code is required (user has MFA enabled) |
| 400 | InvalidOTPException | Invalid 2FA code |
⚠️
For **PANEL**, **IOS**, and **ANDROID** platforms, an additional verification `code` previously sent to the user is required.
Use the Token
⚠️
The access token expires in 15 minutes. Use the
Refresh endpoint to get a new one without logging in
again.
Include these headers in every authenticated request:
Content-Type: application/json
Accept: application/json
x-api-key: [API_KEY]
Authorization: Bearer [ACCESS_TOKEN]2FA (MFA) Flow
If the user has two-factor authentication enabled (totp_secret in their profile), login requires an additional step:
- Send
username,password, andplatformas usual. - The server responds with
OTPRequiredException. - Resend the same request adding the
otpfield with the 6-digit authenticator code. - If the OTP is valid, you receive the tokens.
🔐
The OTP code uses TOTP (Time-based One-Time Password) with pyotp.
Compatible with Google Authenticator, Authy, and similar apps.
Supported Platforms
| Platform | Description | Requires code |
|---|---|---|
API | External API integration | ❌ |
APP | Main mobile application | ❌ |
PANEL | Web admin panel | ✅ |
IOS | iOS application | ✅ |
ANDROID | Android application | ✅ |