Authentication

XBuddy uses JWT (JSON Web Tokens) for API authentication.

Getting a token

POST /api/v1/auth/login
Content-Type: application/json
 
{
  "email": "you@company.com",
  "password": "your-password"
}

Response:

{
  "success": true,
  "data": {
    "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "expiresIn": 86400,
    "user": {
      "id": "uuid",
      "email": "you@company.com",
      "fullName": "Jane Smith"
    }
  }
}

Using the token

Include the access token in all API requests:

GET /api/v1/crm/contacts
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Token expiry

Access token — expires in 24 hours
Refresh token — expires in 30 days

Refreshing the token

POST /api/v1/auth/refresh
Content-Type: application/json
 
{
  "refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}

2FA

If 2FA is enabled on the account, the login response includes:

{
  "success": true,
  "data": {
    "requiresTwoFactor": true,
    "tempToken": "..."
  }
}

Complete 2FA:

POST /api/v1/auth/2fa/verify
Content-Type: application/json
 
{
  "tempToken": "...",
  "code": "123456"
}

This returns the full accessToken and refreshToken.

Overview AI Gateway