Authentication

Overview

Wryft Chat uses JWT (JSON Web Tokens) for authentication. All authenticated endpoints require a valid JWT token in the Authorization header.

Register

Create a new user account.

POST /api/auth/register

Request Body

{
  "username": "user123",
  "email": "user@example.com",
  "password": "SecurePassword123!"
}

Response

{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "user": {
    "id": "550e8400-e29b-41d4-a716-446655440000",
    "username": "user123",
    "email": "user@example.com",
    "created_at": "2024-01-01T00:00:00Z"
  }
}

Validation Rules

Username: 3-32 characters, alphanumeric + underscores
Email: Valid email format
Password: Minimum 8 characters

Authenticate with existing credentials.

POST /api/auth/login

Request Body

{
  "email": "user@example.com",
  "password": "SecurePassword123!"
}

Response

{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "user": {
    "id": "550e8400-e29b-41d4-a716-446655440000",
    "username": "user123",
    "email": "user@example.com",
    "avatar": "https://...",
    "is_premium": false
  }
}

Using JWT Tokens

Include the token in the Authorization header for all authenticated requests:

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Example with cURL

curl -H "Authorization: Bearer YOUR_TOKEN" \
  https://api.wryft.chat/api/users/me

Example with JavaScript

const response = await fetch('https://api.wryft.chat/api/users/me', {
  headers: {
    'Authorization': `Bearer ${token}`
  }
});

Token Expiration

JWT tokens expire after 30 days. When a token expires, the user must log in again.

Checking Token Validity

GET /api/users/me

Returns 401 Unauthorized if token is invalid or expired.

Error Responses

400 Bad Request

{
  "error": "Invalid email format"
}

401 Unauthorized

{
  "error": "Invalid credentials"
}

409 Conflict

{
  "error": "Email already registered"
}

Security Best Practices

Store Securely

Store tokens in httpOnly cookies or secure storage

HTTPS Only

Always use HTTPS in production

Token Rotation

Implement token refresh for long sessions

Logout

Clear tokens on logout

Rate Limiting

Authentication endpoints are rate limited:

10 requests per minute per IP
Returns 429 Too Many Requests when exceeded

Next Steps

Users API

Manage user profiles

Messages API

Send and receive messages

Getting Started

Features

Deployment

API Reference

Overview

Register

Request Body

Response

Validation Rules

Request Body

Response

Using JWT Tokens

Example with cURL

Example with JavaScript

Token Expiration

Checking Token Validity

Error Responses

400 Bad Request

401 Unauthorized

409 Conflict

Security Best Practices

Store Securely

HTTPS Only

Token Rotation

Logout

Rate Limiting

Next Steps

Users API

Messages API

Getting Started

Features

Deployment

API Reference

​Overview

​Register

​Request Body

​Response

​Validation Rules

​Login

​Request Body

​Response

​Using JWT Tokens

​Example with cURL

​Example with JavaScript

​Token Expiration

​Checking Token Validity

​Error Responses

​400 Bad Request

​401 Unauthorized

​409 Conflict

​Security Best Practices

Store Securely

HTTPS Only

Token Rotation

Logout

​Rate Limiting

​Next Steps

Users API

Messages API

Overview

Register

Request Body

Response

Validation Rules

Login

Request Body

Response

Using JWT Tokens

Example with cURL

Example with JavaScript

Token Expiration

Checking Token Validity

Error Responses

400 Bad Request

401 Unauthorized

409 Conflict

Security Best Practices

Rate Limiting

Next Steps