Skip to main content
The Boses API uses short-lived JWT access tokens paired with a rotating refresh token stored as an HttpOnly cookie. All endpoints except /health and the /auth routes themselves require a valid bearer token in the Authorization header.
TokenLifetime
Access token15 minutes
Refresh token30 days

POST /auth/signup

Register a new user account and company. Use this endpoint to onboard your organization to Boses for the first time.
Rate limit: 10 requests per hour per IP address.

Request body

email
string
required
Email address for the new user account.
password
string
required
Password for the account. Must meet minimum security requirements.
company_name
string
required
Name of your organization. All projects and resources you create will be scoped to this company.
full_name
string
Display name for the user.

Response

access_token
string
JWT access token. Pass this in the Authorization: Bearer header on subsequent requests.
token_type
string
Always "bearer".
user
object

Example

curl -X POST https://api.temujintechnologies.com/api/v1/auth/signup \
  -H "Content-Type: application/json" \
  -d '{
    "email": "you@company.com",
    "password": "str0ng-p@ssword",
    "company_name": "Acme Research PH",
    "full_name": "Juan dela Cruz"
  }'

POST /auth/login

Authenticate with your email and password. Returns an access token and sets a refresh_token HttpOnly cookie.
Rate limit: 20 requests per minute per IP address.

Request body

email
string
required
Your account email address.
password
string
required
Your account password.

Response

access_token
string
JWT access token valid for 15 minutes.
token_type
string
Always "bearer".

Example

curl -X POST https://api.temujintechnologies.com/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "you@company.com",
    "password": "str0ng-p@ssword"
  }'

POST /auth/logout

Revoke the current refresh token and clear the auth cookie. Call this when your user ends their session. No request body is required. The refresh token is read automatically from the HttpOnly cookie.

Example

curl -X POST https://api.temujintechnologies.com/api/v1/auth/logout \
  -H "Authorization: Bearer <access_token>"

GET /auth/me

Returns the profile of the currently authenticated user.

Response

id
string
UUID of the authenticated user.
email
string
User’s email address.
full_name
string
Display name.
company_id
string
UUID of the company this user belongs to.
company_name
string
Name of the company.

Example

curl https://api.temujintechnologies.com/api/v1/auth/me \
  -H "Authorization: Bearer <access_token>"

POST /auth/refresh

Rotate your access and refresh tokens. The existing refresh token cookie is consumed and replaced with a new one. Use this to keep sessions alive without requiring the user to log in again. No request body is required. The refresh token is read automatically from the HttpOnly cookie.

Response

access_token
string
A new JWT access token valid for 15 minutes.
token_type
string
Always "bearer".

Example

curl -X POST https://api.temujintechnologies.com/api/v1/auth/refresh \
  -H "Content-Type: application/json"
In a browser-based application, call this endpoint before the 15-minute access token expiry. The refresh token cookie is sent automatically with same-site requests.

POST /auth/forgot-password

Send a password reset email to the specified address. If the email matches a registered account, a one-time reset link is sent.
Rate limit: 5 requests per hour per IP address.

Request body

email
string
required
Email address of the account you want to reset.

Example

curl -X POST https://api.temujintechnologies.com/api/v1/auth/forgot-password \
  -H "Content-Type: application/json" \
  -d '{
    "email": "you@company.com"
  }'
The response is the same whether or not the email address is registered, to prevent account enumeration.

POST /auth/reset-password

Reset your password using the token from the reset email. The token is single-use and expires after a short window.

Request body

token
string
required
The password reset token extracted from the link in the reset email.
new_password
string
required
The new password to set for the account.

Example

curl -X POST https://api.temujintechnologies.com/api/v1/auth/reset-password \
  -H "Content-Type: application/json" \
  -d '{
    "token": "abc123resettoken",
    "new_password": "new-str0ng-p@ssword"
  }'