Skip to content

Authentication

Application API is statefull and it uses PHP sessions to maintain the state between the client and the application API.

Login flow (example with full success):

  1. Client sends a request for the CSRF token
  2. Application API starts a session and returns the CSRF token
  3. Client stores the CSRF token
  4. Client sends the login credentials to the application API and the CSRF token as a header
  5. Application API validates the CSRF token against the session
  6. Application API validates login credentials
  7. Application API returns the success response to the client

Any other requests will contain the session cookie and thus be authenticated as long as the session exists.

Logout flow:

  1. Client sends a logout request
  2. Application API kills the current session (removing the CSRF token along the way)
  3. Application sends the success response