> ## Documentation Index
> Fetch the complete documentation index at: https://docs.vinmake.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Login and manage sessions with JWT tokens

# Authentication

Finindex uses JWT-based authentication via Supabase Auth, shared with the Cutmake API. Obtain an `access_token`, send it as a Bearer token on every request, and refresh it before it expires.

## Login

Login is **form-encoded** (`application/x-www-form-urlencoded`) with `username` and `password` fields. The `username` field is the user's email address.

<ParamField body="username" type="string" required>
  User's email address
</ParamField>

<ParamField body="password" type="string" required>
  User's password
</ParamField>

```bash theme={null}
POST /api/v1/auth/login
Content-Type: application/x-www-form-urlencoded

username=user@example.com&password=securepass123
```

```bash theme={null}
curl -X POST https://vinmake-erp.onrender.com/api/v1/auth/login \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "username=user@example.com" \
  -d "password=securepass123"
```

**Response (200):**

```json theme={null}
{
  "access_token": "eyJ...",
  "refresh_token": "eyJ...",
  "token_type": "bearer"
}
```

## Refresh

Exchange a valid `refresh_token` for a new `access_token`.

<ParamField body="refresh_token" type="string" required>
  The refresh token issued at login
</ParamField>

```bash theme={null}
POST /api/v1/auth/refresh
Content-Type: application/json

{
  "refresh_token": "eyJ..."
}
```

**Response (200):**

```json theme={null}
{
  "access_token": "eyJ...",
  "refresh_token": "eyJ...",
  "token_type": "bearer"
}
```

## Using the Token

Send the access token as a Bearer token on every authenticated request:

```bash theme={null}
GET /api/v1/gl/accounts
Authorization: Bearer <access_token>
```

<Tip>
  Store the `refresh_token` securely and call `POST /auth/refresh` when the access token nears expiry rather than re-prompting for credentials.
</Tip>

<Warning>
  Requests without a valid Bearer token return `401 Unauthorized`. Requests for resources outside your organization return `403 Forbidden`.
</Warning>
