Contents

JSON API

JSON API

Authentication

Authentication is done by providing a valid Authentication Session identifier. An Authentication Session identifier is a 16 bytes value encoded as 32 characters string, for example 122813edb8dea90702d2bffb90cf3e8b.

Authentication Session identifier must be presented either by using HTTP Authorization header or a HTTP cookie.

When Authorization header is used, Bearer auth schema is expected, for example Authorization: Bearer 122813edb8dea90702d2bffb90cf3e8b.

When cookie is used, s key should be set to the identifier value, for example Cookie: s=122813edb8dea90702d2bffb90cf3e8b.

Error response

There are two formats an error message can follow, depending on the cause.

General error

If error response is caused by a non validation related issue, general error schema is used to format the response payload.

{
  "error": "Human readable error description."
}

Validation error

If error response is caused by an incomplete or an invalid input data, a validation error schema is used to format the response payload.

{
  "validation": {
    "email": [
      "Required."
    ],
    "password": [
      "Must be at least 12 characters long.",
      "Must meet complexity requirements."
    ]
  }
}

Authentication Session management

Create a new Authentication Session

POST /sessions

To create a new Authentication Session, send you authentication credentials. If Two-Factor authentication is enabled, you must additionally send a generated Time-based One-Time Password code.

Example request:

POST /sessions HTTP/1.1
Content-Type: application/json

{
  "email": "admin@example.com",
  "password": "admin",
  "code": "123456"
}
Request JSON Object

  • email (string) – The email used to register the account.

  • password (string) – The account password in plain text.

  • code (string) – Required if two-factor is enabled. A generated, 6-digit TOTP token.

Example response body:

{
  "account_id": "1ad4ce82183f3c5027a96883bac1d7e2",
  "session_id": "122813edb8dea90702d2bffb90cf3e8b",
  "permissions": [
    "lith-admin",
    "login"
  ]
}
Response JSON Object

  • account_id (string) – The identifier of the account that this authentication session represents.

  • session_id (string) – The identifier of this authentication session.

  • permissions (list of strings) – A list of permissions that this session grants.

Status Codes

Introspect an existing Authentication Session

GET /sessions

An existing Authentication Session can be introspected.

Example request:

GET /sessions HTTP/1.1
Authorization: Bearer 122813edb8dea90702d2bffb90cf3e8b

Example response body:

{
  "account_id": "1ad4ce82183f3c5027a96883bac1d7e2",
  "session_id": "122813edb8dea90702d2bffb90cf3e8b",
  "permissions": [
    "lith-admin",
    "login"
  ]
}
Response JSON Object

  • account_id (string) – The identifier of the account that this authentication session represents.

  • session_id (string) – The identifier of this authentication session.

  • permissions (list of strings) – A list of permissions that this session grants.

Status Codes

  • 200 OK – Authentication Session is valid and was successfully introspected.

  • 401 Unauthorized – A valid Authentication Session was not provided.

Terminate an existing Authentication Session

DELETE /sessions

An existing Authentication Session can be terminated.

Example request:

DELETE /sessions HTTP/1.1
Authorization: Bearer 122813edb8dea90702d2bffb90cf3e8b
Status Codes

  • 204 No Content – Authentication Session is valid and was successfully deleted.

  • 401 Unauthorized – A valid Authentication Session was not provided.

DELETE /sessions

To terminate all existing Authentication Session that belong to an account, send JSON serialized {"all": true} payload as the request body. Account is determined by the session token provided during authentication.

Example request:

DELETE /sessions HTTP/1.1
Authorization: Bearer 122813edb8dea90702d2bffb90cf3e8b
Content-Type: application/json
Content-Lenth: 13

{"all": true}
Status Codes

Two Factor authentication

Currently, Lith supports only Time-based One-Time Passwords as the second factor.

It is recommended to use an application on your phone to manage and generate TOTP tokens.

Check if Two-Factor authentication is enabled

GET /twofactor

User can check if two-factor authentication is enabled for the account.

Example request:

GET /twofactor HTTP/1.1
Authorization: Bearer 122813edb8dea90702d2bffb90cf3e8b

Example response body:

{
  "enabled": false
}
Response JSON Object

  • enabled (boolean) – True if two-factor authentication is enabled and required.

Status Codes

  • 200 OK – A successful response contains information if the two-factor authentication is enabled for this account.

  • 401 Unauthorized – A valid Authentication Session was not provided.

Enable Two-Factor authentication

POST /twofactor

Any account can enable two-factor authentication. Once enabled, two-factor authentication secret cannot be changed or deleted.

Example request:

POST /twofactor HTTP/1.1
Authorization: Bearer 122813edb8dea90702d2bffb90cf3e8b
Content-Type: application/json

{
  "secret": "base32-encoded-data",
  "code": "123456"
}
Request JSON Object

  • secret (string) – A base32 encoded secret value.

  • code (string) – The current TOTP code generated using secret.

In order to enable two-factor authentication, you must authenticate. If two-factor authentication is required, you can no longer create a new authentication session. If this is the case, only for this endpoint, you can directly send your email and password as an alternative authentication method.

Example request:

POST /twofactor HTTP/1.1
Content-Type: application/json

{
  "secret": "base32-encoded-data",
  "code": "123456",
  "email": "user@example.com",
  "password": "t0pSecret"
}
Request JSON Object

  • secret (string) – A base32 encoded secret value.

  • code (string) – The current, 6-digit TOTP code generated using provided secret.

  • email (string) – An email address used for the account registration.

  • password (string) – Account password in plain text.

Status Codes

  • 201 Created – Two-factor authentication was successfully enabled for this account. No payload is returned.

  • 400 Bad Request – An incomplete or malformed input. See Error response section for details.

  • 401 Unauthorized – A valid authentication credentials were not provided.

  • 409 Conflict – Two-factor authentication is already enabled for this account.

Account management

Create a new account

POST /accounts

Account creation is a two step operation and require email address confirmation.

First, you must submit your email address that you would like to use to register a new account. After this, you will receive an email message with a link to finish registration process.

Example request:

POST /accounts HTTP/1.1
Content-Type: application/json

{
  "email": "user@example.com"
}
Request JSON Object

  • email (string) – An email address that should be used to authenticate.

Status Codes

  • 202 Accepted – Registration was initialized, email message with a one-time registration token was sent. No response payload.

  • 400 Bad Request – Incomplete, invalid or malformed JSON payload.

  • 409 Conflict – Provided email is already used by another account.

PUT /accounts

Received email message will contain a URL with one-time registration token. Your application is responsible for handling that URL and extracting registration token.

Example request:

PUT /accounts HTTP/1.1
Content-Type: application/json

{
  "password": "t0pSecret",
  "token": "fdf1033a39a0ffae50784b44909a97bd"
}
Request JSON Object

  • password (string) – A plain text password that will be set for this account.

  • token (string) – The one-time token sent via email.

Example response body:

{
  "account_id": "8138177c4fa45ce839d158374d1601c9"
}
Response JSON Object

  • account_id (string) – The identifier of the newly created account.

Status Codes

  • 201 Created – Successful registration. New account email/password combination can be used to login.

  • 400 Bad Request – Incomplete, invalid or malformed JSON payload.

  • 401 Unauthorized – Provided one-time token is invalid or expired.

  • 409 Conflict – Provided email is already used by another account.

Reset an account password

POST /passwordreset

Account password reset is a two step operation.

Example request:

POST /passwordreset HTTP/1.1
Content-Type: application/json

{
  "email": "user@example.com"
}
Response JSON Object

  • email (string) – The email address connected to the account we want to access.

Status Codes

  • 202 Accepted – Password reset was initialized, email message with a one-time token was sent. No response payload.

  • 400 Bad Request – Incomplete, invalid or malformed JSON payload.

PUT /passwordreset

Example request:

PUT /passwordreset HTTP/1.1
Content-Type: application/json

{
  "password": "t0pSecret",
  "token": "fdf1033a39a0ffae50784b44909a97bd"
}
Request JSON Object

  • password (string) – A plain text password that will be set for this account.

  • token (string) – The one-time token sent via email.

Example response body:

{
  "account_id": "8138177c4fa45ce839d158374d1601c9"
}
Response JSON Object

  • account_id (string) – The identifier of the newly created account.

Status Codes

  • 200 OK – A new account password is set.

  • 401 Unauthorized – Provided one-time token is invalid or expired.

  • 409 Conflict – Account email address has changed since the one-time token was generated. You must request a new password reset token.

previous

Welcome to Lith’s documentation!

next

Examples