Skip to main content

Authentication

The GeoTareas API uses a dual-authentication model to secure every protected endpoint. Each request must include both a JWT token (representing user identity and permissions) and an API Key (representing your company integration). This layered approach ensures that both the user and the integration are independently validated on every call.

Authentication Flow

The following diagram illustrates the end-to-end authentication flow:

  1. Authenticate — Call POST /apidev/v1/login with your email and password.
  2. Receive a JWT — The server returns a signed token valid for 1 hour.
  3. Attach credentials — Include the JWT, your API Key, and the tenant header on every subsequent request.
  4. Handle expiration — When you receive a 401, discard the token and re-authenticate. There is no refresh token flow.

Login

MethodPOST
URL/apidev/v1/login

Headers

HeaderValueRequired
tenantYour tenant domain (e.g. geotareas.com)Yes
Content-Typeapplication/jsonYes

Request Body

FieldTypeRequiredDescription
emailstringYesThe user's email address.
passwordstringYesThe user's password.

Code Examples

curl -X POST https://api.example.com/apidev/v1/login \
  -H "tenant: $TENANT" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "dev@company.com",
    "password": "your_password"
  }'

Success Response

{
  "success": true,
  "data": {
    "authorization": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
  },
  "meta": {}
}

Error Responses

Invalid credentials

{
  "success": false,
  "error": {
    "code": "UNAUTHORIZED",
    "message": "Invalid email or password."
  }
}

Missing tenant header

{
  "success": false,
  "error": {
    "code": "BAD_REQUEST",
    "message": "The tenant header is required."
  }
}

Using the Token

Once authenticated, include these three headers on every API request:

HeaderValueDescription
tenantgeotareas.comIdentifies the tenant namespace.
AuthorizationBearer eyJhbG...The JWT obtained from login.
X-API-Keygtk_xxxxxxxxxxxxYour company integration key.

Example request:

curl -X GET "https://api.example.com/apidev/v1/fleet/devices?limit=25&offset=0" \
  -H "tenant: $TENANT" \
  -H "Authorization: Bearer $TOKEN" \
  -H "X-API-Key: $APIKEY"

Token Lifecycle

PropertyDetail
Time-to-live (TTL)1 hour from issuance.
Refresh mechanismNone. Re-authenticate by calling the login endpoint when the token expires.
Expiration signalA 401 UNAUTHORIZED response indicates the token has expired or is invalid.

When you receive a 401 response, discard the current token and perform a fresh login to obtain a new one. There is no refresh token flow -- simply call /apidev/v1/login again.

API Key Validation

The API Key is provided to your organization during onboarding. On every request, the server validates the following properties of your key:

CheckDescription
Tenant matchThe key must belong to the same tenant as the JWT.
ScopeThe key must have a valid integration scope assigned during onboarding.
StatusThe key must be in active status.
Time windowThe current time must fall within the key's valid_from and valid_until range.

If any of these checks fail, the server responds with 401 UNAUTHORIZED.

Security Best Practices

  • Store tokens securely. Keep JWTs in memory or secure storage. Never persist them in local storage on web clients.
  • Never expose API keys in client-side code. API keys should only be used in server-to-server communication or secure backend environments.
  • Rotate API keys periodically. Contact your account manager to schedule key rotation and minimize the window of exposure.
  • Always use HTTPS. All requests to the API must be made over TLS. Plain HTTP requests will be rejected.

Troubleshooting

SymptomCauseFix
401 — "Invalid email or password"Wrong credentialsVerify email and password. Passwords are case-sensitive.
401 — "The tenant header is required"Missing or empty tenant headerAdd the tenant header with your assigned domain.
401 after a period of working callsJWT expired (1 h TTL)Discard the token and call /apidev/v1/login again.
401 — API Key rejectedKey expired, inactive, or wrong tenantVerify the key status and validity window with your account manager.
429 — Too Many RequestsBrute-force protection triggered (5 failed logins in 30 s)Wait 60 seconds before retrying. Do not retry in a loop.