Authentication

All API calls are authenticated with a Bearer token (a JWT) sent in the Authorization header: Authorization: Bearer <token>. The token embeds the user’s role-based access rights, which the server checks on every endpoint.

Token endpoint

Obtain a token from the OAuth 2.0 token endpoint POST /api/v1/oauth/token. The request body is form-encoded (application/x-www-form-urlencoded), as per OAuth 2.0.

GrantDescription
passwordExchange a user’s email address and password for an access token (for your own first-party software).
refresh_tokenExchange a refresh token for a fresh access token, without asking for credentials again.
authorization_codeStandard OAuth 2.1 authorization-code + PKCE flow, used by MCP clients and third-party apps. See the MCP server page.

Token lifetimes

Access tokens are valid for 60 minutes; refresh tokens for 30 days. Refresh proactively, shortly before the access token expires, so long-running tools never make a call with an expired token.

# Password grant
curl -X POST https://stardraw.cloud/api/v1/oauth/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=password&username=you@example.com&password=YOUR_PASSWORD"

# Refresh grant
curl -X POST https://stardraw.cloud/api/v1/oauth/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=refresh_token&refresh_token=YOUR_REFRESH_TOKEN"

The response is a standard OAuth token payload:

{
  "token_type": "Bearer",
  "access_token": "eyJhbGciOiJIUzI1NiIs...",
  "refresh_token": "eyJhbGciOiJIUzI1NiIs...",
  "expires_at": 1717171717000
}

Discovery

For OAuth 2.1 / OpenID-style clients, the server publishes the usual discovery documents so clients can configure themselves automatically:

DocumentEndpoint
Authorization-server metadata (RFC 8414)GET /.well-known/oauth-authorization-server
OpenID configuration aliasGET /.well-known/openid-configuration
Protected-resource metadata (RFC 9728)GET /.well-known/oauth-protected-resource

Ready to try it? Head to the API reference, press Authorize, paste your access token and run a call.