This document describes how authentication works in the Misca platform and how clients should interact with protected APIs.
Misca uses JWT Bearer Authentication for all protected endpoints.
Public endpoints (such as public menu pages) do not require authentication.
Authentication is required for:
- Workspace APIs
- Business panel APIs
- Admin APIs
- Type: JWT (JSON Web Token)
- Transport:
Authorizationheader - Scheme:
Bearer
Example: Authorization: Bearer <ACCESS_TOKEN>
Authentication is performed by sending credentials to the authentication endpoint.
Upon successful authentication, the API returns an access token.
The access token must be included in all subsequent protected requests.
The JWT payload includes:
- User identifier
- Token expiration time
- Required claims for authorization
The expiration time is provided as a Unix timestamp.
- Tokens are time-limited
- Expiration time is not hard-coded
- Token lifetime is configurable on the server
Clients are responsible for handling token expiration and re-authentication.
Misca APIs are separated into logical scopes:
-
Public / Auth
Authentication and public access endpoints -
Workspace / Panel
Business and menu management APIs -
Admin
Administrative and system-level APIs
Access to each scope is validated based on the authenticated user and token claims.
If a request is made without a valid token, the API will respond with:
401 Unauthorized– Missing or invalid token403 Forbidden– Insufficient permissions
Error responses follow the standard API response format.
- Always store tokens securely on the client
- Never expose tokens in URLs
- Use HTTPS for all API requests
- Rotate tokens when compromised
For exact authentication endpoints, request bodies, and response schemas, refer to the Swagger documentation linked in the API section.