Authentication¶
BugSeq’s API uses OAuth 2.0 with https://auth.bugseq.com as the authorization server. Clients obtain JWT access tokens and send them on each request using the HTTP Authorization: Bearer <token> header.
Authorization server¶
- Auth endpoint:
https://auth.bugseq.com/oauth2/authorize - Token endpoint:
https://auth.bugseq.com/oauth2/token - Client ID:
1nda6286pu7o5uo84ikg6omnig - Redirects:
http://localhost:8411/bugseq/cognito/login - Scopes: use
openidandemail
Flows¶
We recommend you use authentication libraries to drive the auth flow. We’ve an example implementation in python, available at https://gitlab.com/bugseq-open/bugseq-client-py
Authorization Code + PKCE (for browsers/mobile)¶
- Redirect users to our authorize endpoint:
GET /oauth2/authorize?
client_id=<CLIENT_ID>
&response_type=code
&redirect_uri=<REDIRECT_URI>
&scope=openid%20email
&code_challenge=<BASE64URL(SHA256(verifier))>
&code_challenge_method=S256
- The auth server prompts for login and consent, then redirects to
redirect_uri?code=.... - Exchange the
codefor tokens:
curl -X POST https://auth.bugseq.com/oauth2/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=authorization_code" \
-d "client_id=<CLIENT_ID>" \
-d "code=<AUTH_CODE>" \
-d "redirect_uri=<REDIRECT_URI>" \
-d "code_verifier=<ORIGINAL_VERIFIER>"
Response:
{
"access_token": "<JWT>",
"id_token": "<JWT>",
"refresh_token": "<secret>",
"token_type": "Bearer",
"expires_in": 3600
}
Using the access token¶
Include the token on every API call:
curl https://api.bugseq.com/v1/users/me \
-H "Authorization: Bearer <ACCESS_TOKEN>"
Refreshing tokens¶
When expires_in elapses (typically 1 hour), refresh:
curl -X POST https://auth.bugseq.com/oauth2/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=refresh_token" \
-d "client_id=<CLIENT_ID>" \
-d "refresh_token=<REFRESH_TOKEN>"
(Refresh tokens are long-lived; store securely and never ship them to the browser unless you fully understand the risks.)