Skip to main content

Authentication

The ION Guard API uses Laravel Sanctum for authentication via Bearer tokens. Every authenticated access requires a valid token in the Authorization header.

Obtaining a token

Send the user credentials to the login endpoint:

POST /api/v1/auth/login
Content-Type: application/json

{
"email": "operador@empresa.com",
"password": "sua-senha"
}

Success response (200)

{
"token": "1|ionguard_abc123def456...",
"user": {
"id": "9c1a2b3c-...",
"name": "João Silva",
"email": "operador@empresa.com",
"role": "operator",
"status": "active",
"password_login_enabled": true,
"sso_login_enabled": false,
"role_managed_by_sso": false,
"tenant_id": "9c1a2b3c-...",
"last_login_at": "2026-07-03T12:00:00-03:00",
"created_at": "2026-01-10T09:30:00-03:00",
"updated_at": "2026-07-03T12:00:00-03:00"
}
}
Token prefix

Tokens are issued with the ionguard_ prefix (after the 1| identifier), which makes it easier for secret scanning tools to automatically detect leaked secrets.

Error responses

StatusSituation
401Invalid credentials
403Account is not active (inactive or blocked)
429Too many attempts — rate limit exceeded

Using the token

Include the token in the Authorization header of every authenticated request:

GET /api/v1/sites
Authorization: Bearer 1|abc123def456...
Content-Type: application/json

Refreshing the token

To obtain a new token without logging in again, use the refresh endpoint. The current token is revoked and a new one is generated:

POST /api/v1/auth/refresh
Authorization: Bearer 1|abc123def456...

Response (200)

{
"token": "2|xyz789ghi012..."
}
Previous token revoked

After the refresh, the previous token stops working. Use the new token in subsequent requests.

Token validity

Each token is valid for 24 hours (1440 minutes) from issuance. After that, the token expires and requests start returning 401 Unauthorized — you must obtain a new token via login or refresh.

The expiration time is defined on the server by the SANCTUM_TOKEN_EXPIRATION variable (in minutes); the installation administrator can adjust it.

Logout

To revoke the current token:

POST /api/v1/auth/logout
Authorization: Bearer 1|abc123def456...

Response (200)

{
"message": "Logged out."
}

Rate limiting

The authentication endpoints have more restrictive rate limiting than the others:

GroupLimit
Auth (login, refresh, logout)5 req/min
Authenticated endpoints60 req/min

When the limit is exceeded, the API returns status 429 Too Many Requests with the Retry-After header indicating how many seconds to wait.

Permissions by profile

The token inherits the permissions of the user's profile. The same authorization rules from the web interface apply to the API:

ProfileAccess
Platform AdminAll endpoints, all tenants
Tenant MasterAll endpoints within their tenant
Tenant AdminCRUD of sites, zones, devices, and operational users
OperatorRead + alert actions (acknowledge, resolve) on assigned sites
ViewerRead-only on assigned sites

Full example (cURL)

# 1. Login
TOKEN=$(curl -s -X POST https://ionguard.exemplo.local/api/v1/auth/login \
-H "Content-Type: application/json" \
-d '{"email":"operador@empresa.com","password":"senha123"}' \
| jq -r '.token')

# 2. List sites
curl -s https://ionguard.exemplo.local/api/v1/sites \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json"

# 3. List a site's alerts
curl -s https://ionguard.exemplo.local/api/v1/sites/{site_id}/alerts \
-H "Authorization: Bearer $TOKEN"

# 4. Acknowledge an alert
curl -s -X POST https://ionguard.exemplo.local/api/v1/alerts/{alert_id}/acknowledge \
-H "Authorization: Bearer $TOKEN"

# 5. Logout
curl -s -X POST https://ionguard.exemplo.local/api/v1/auth/logout \
-H "Authorization: Bearer $TOKEN"

Full reference

For the complete list of endpoints and their parameters, see the automatically generated interactive documentation:

https://<seu-servidor>/docs/api