Authentication

JWT for user sessions, API keys for integrations

4 min read

FreeMaint accepts two auth mechanisms: JWTs (issued by /auth/login, used by our web and mobile apps) and API keys (created in /company-settings/api, used by your own integrations).

JWT (user sessions)

  1. POST /auth/login โ€” Body: {email, password}. Returns {access_token, refresh_token}.
  2. Send Authorization header โ€” On every request: Authorization: Bearer <access_token>.
  3. Refresh when expired โ€” POST /auth/refresh with the refresh_token to get a new access_token. Access tokens last 2 hours.

API key (server integrations)

  1. Open /company-settings/api โ€” Visible to admins from Business tier upward.
  2. Click 'New key' โ€” Optionally set an expiration. The raw key is shown ONCE โ€” copy it immediately.
  3. Use it โ€” Send Authorization: Bearer fmk_<rawKey> on every request. Format: starts with fmk_ followed by 32 hex characters.

Security notes

  • API keys are stored as SHA-256 hashes โ€” once you close the reveal dialog, the raw value is unrecoverable
  • Revoking a key disables it immediately; the row is kept for audit
  • Each key is scoped to a single company; cross-tenant requests always 401
  • Keys can have an optional expiresAt for short-lived integrations

Tip

Compromise a key? Revoke it from /company-settings/api โ€” takes effect within seconds.

Related articles

API & GraphQL
API Overview
4 min
API & GraphQL
Quotas & Rate Limits
3 min
API & GraphQL
GraphQL Queries (Read)
5 min
API & GraphQL
GraphQL Mutations (Write)
6 min

Was this page helpful?