Free setup on annual plans

Sign up today!
Book a Demo

Auth

Home

> API Reference >

Endpoints >

Auth

API Reference: Auth endpoints

The Auth API issues AnswerPal JWTs for representative and phone-channel contexts and supports password reset flows. Operational impersonation is reserved for trusted platform tooling.

Current endpoints

Login and token issuance

Auth routes that issue or recover credentials do not require an existing bearer token. Use the returned JWT as Authorization: Bearer {token} on protected AnswerPal API endpoints.

  • POST /api/Auth/login – No bearer token
    Authenticate an active customer representative by username, password and hostname. On success the route returns a JWT token object.
  • POST /api/Auth/phone-login – No bearer token
    Authenticate a phone-channel context by phoneNumber and Twilio accountSid. The account SID must match the customer and the phone number must belong to a non-deleted channel.
  • POST /api/Auth/impersonate-by-customer – Internal platform tooling
    Operational route for trusted platform tooling; not intended for browser or third-party integrations.

Representative login

Request

POST /api/Auth/login
Content-Type: application/json

{
  "username": "agent@example.com",
  "password": "correct horse battery staple",
  "hostname": "app.answerpal.eu"
}

Response

200 OK
Content-Type: application/json

{
  "token": "eyJhbGciOi..."
}

Login fields

LoginModel

  • username
    Required representative username. The account must be active and not deleted.
  • password
    Required password verified against the stored BCrypt hash.
  • hostname
    Required host name. For normal hosts, lookup is scoped to representatives whose customer hostname matches. localhost bypasses hostname filtering for local development.

PhoneLoginModel

  • phoneNumber
    Required phone number that must match a non-deleted channel.
  • accountSid
    Required Twilio Account SID. It must match the owning customer.

Operational impersonation

Reserved for trusted platform tooling. Do not expose this route to browser or third-party client integrations.

Phone login

POST /api/Auth/phone-login
Content-Type: application/json

{
  "phoneNumber": "+3225550100",
  "accountSid": "ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}

Access and responses

Status codes

  • 200 OK
    Returned by login, phone-login, impersonation and reset request when accepted. Token-producing routes return { "token": "..." }.
  • 204 No Content
    Returned by successful password reset.
  • 400 Bad Request
    Returned when required fields are missing, password complexity fails or a reset token is invalid/expired.
  • 401 Unauthorized
    Returned for invalid login credentials, invalid phone credentials or unauthorized operational access.
  • 404 Not Found
    Returned by operational impersonation when the customer or an active representative cannot be found.

Security notes

  • No Basic auth
    AnswerPal does not use Basic authentication for inbound API access. Auth issues JWT bearer tokens. Basic/Bearer settings elsewhere are outbound connector settings used when AnswerPal calls external systems.
  • Password reset enumeration
    The password reset request path returns OK after delegating to the reset service. The service silently returns when no representative matches, so callers should not infer account existence from this endpoint.
POST /api/Auth/login
Content-Type: application/json

{
  "username": "agent@example.com",
  "password": "correct horse battery staple",
  "hostname": "app.answerpal.eu"
}
200 OK
Content-Type: application/json

{
  "token": "eyJhbGciOi..."
}
POST /api/Auth/phone-login
Content-Type: application/json

{
  "phoneNumber": "+3225550100",
  "accountSid": "ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}

Password reset

Password reset is a two-step flow: request a reset link by email and hostname, then submit the token GUID with a valid new password.

  • POST /api/Auth/request-password-reset – No bearer token
    Request a password reset link for email and hostname. The reset request returns 200 OK even when no matching representative is found.
  • POST /api/Auth/reset-password – No bearer token
    Reset a password by reset-token GUID and newPassword. Valid reset tokens expire after four hours and are removed after use.

Request reset example

POST /api/Auth/request-password-reset
Content-Type: application/json

{
  "email": "agent@example.com",
  "hostname": "app.answerpal.eu"
}

Reset password example

POST /api/Auth/reset-password
Content-Type: application/json

{
  "token": "00000000-0000-0000-0000-000000000000",
  "newPassword": "N3w-password!"
}

Fields and behavior

Request bodies

LoginModel

  • username
    Required representative username. The account must be active and not deleted.
  • password
    Required password verified against the stored BCrypt hash.
  • hostname
    Required host name. For normal hosts, lookup is scoped to representatives whose customer hostname matches. localhost bypasses hostname filtering for local development.

PhoneLoginModel

  • phoneNumber
    Required phone number that must match a non-deleted channel.
  • accountSid
    Required Twilio Account SID. It must match the owning customer.

Operational impersonation

Reserved for trusted platform tooling. Do not expose this route to browser or third-party client integrations.

PasswordResetRequestModel

  • email
    Required representative email address.
  • hostname
    Required hostname used to find the representative customer, with localhost accepted for local development.

ResetPasswordModel

  • token
    Required reset-token GUID generated by the reset request service. Tokens are valid for four hours.
  • newPassword
    Required new password. Current complexity rule: at least 8 characters and at least 3 of these 4 categories: digit, lowercase, uppercase, symbol.

Token claims and validation

Representative JWT claims

  • sub, CustomerID, CustomerRepID
    Subject is the representative username. Customer and representative IDs scope protected API access.
  • TimeZone, Locale, Country
    Representative preferences included in the token, defaulting to UTC, en-US and US when absent.
  • role, Role
    Role is included both as a role claim and as the numeric role value used by parts of the API.
  • jti
    Unique JWT ID generated per token.

Phone JWT claims

  • sub
    Set to PhoneAuth.
  • CustomerID, ChannelID, PhoneNumber
    Phone-auth tokens are bound to a customer, channel and phone number.
  • jti
    Unique JWT ID generated per token.

Token validation

  • issuer, audience, lifetime, signing key
    JWT bearer validation checks issuer, audience, lifetime and signing key. Generated Auth tokens currently expire after 12 hours.
  • access_token query
    The JWT bearer setup also reads access_token from the query string for /chatHub SignalR connections. Normal REST calls should send the Authorization header.

After obtaining a JWT, send it as Authorization: Bearer {token} on protected endpoint pages such as Customers, Channels, Tickets, Topics, Actions and Documents. Phone-auth tokens are accepted only by policies that explicitly allow phone context.

No. Auth routes that issue or recover credentials do not require an existing bearer token. Use the returned JWT on protected API calls.

JWTs are issued with a 12-hour lifetime. Validation checks issuer, audience, lifetime and signing key.

Passwords must be at least 8 characters and include at least 3 of these 4 categories: digit, lowercase, uppercase and symbol.

Table of Contents

AnswerPal: AI-powered customer service solutions to elevate your support and communication effortlessly.

Quick Links

Contact

For all support, sales, and partnership inquiries, email us at info@answerpal.eu

AnswerPal
Bisschoppenhoflaan 380
2100 Antwerp
Belgium

+32.36416685

BE 0862.692.858

Social Icons