The Boses API uses JWT bearer tokens for authentication. You obtain an access token by logging in with your email and password, then include it in the Authorization header of every request.
All endpoints except /health and the auth endpoints themselves require a valid bearer token.
All API calls are scoped to your company account. You can only access projects, personas, and simulations that belong to your organization — not those of other companies.
Log in
Send a POST request to /auth/login with your credentials. The response returns an access_token you use to authenticate subsequent requests.
curl -X POST https://api.temujintechnologies.com/api/v1/auth/login \
-H "Content-Type: application/json" \
-d '{
"email": "you@company.com",
"password": "your-password"
}'
429 Too Many Requests response.
Use the token
Pass the access token in the Authorization header as a bearer token on every authenticated request.
curl https://api.temujintechnologies.com/api/v1/projects \
-H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c3JfMDFodz..."
401 Unauthorized. Use the refresh endpoint to get a new access token without re-entering your credentials.
Refresh the token
Access tokens expire after 15 minutes. To continue making requests without logging in again, call the refresh endpoint. The refresh token is stored as an HttpOnly cookie set during login — you do not need to pass it manually.
curl -X POST https://api.temujintechnologies.com/api/v1/auth/refresh \
-H "Content-Type: application/json"
{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c3JfMDFodz...",
"token_type": "bearer"
}
Refresh tokens expire after 30 days of inactivity. If your refresh token has expired, you must log in again with your email and password.
Token lifetimes
| Token | Lifetime |
|---|
| Access token | 15 minutes |
| Refresh token | 30 days |
Log out
To end your session and revoke your refresh token, call the logout endpoint. This clears the HttpOnly cookie from your browser and invalidates the refresh token server-side.
curl -X POST https://api.temujintechnologies.com/api/v1/auth/logout
Authentication error codes
| Status code | Meaning | How to resolve |
|---|
401 Unauthorized | The access token is missing, malformed, or expired | Refresh your token using POST /auth/refresh, or log in again |
403 Forbidden | The token is valid but your account does not have permission to access the requested resource | Check that the resource belongs to your company account |
Get the current user
To verify that your token is valid and retrieve your account details, call the /auth/me endpoint.
curl https://api.temujintechnologies.com/api/v1/auth/me \
-H "Authorization: Bearer <TOKEN>"
{
"id": "usr_01hw3k9m2n4pqr5st6uv7wx8",
"email": "you@company.com",
"company_id": "cmp_09az2b8c1d3efg4hi5jk6lm7"
}
