Back to Help

API authentication

April 15, 2026

How to log in, get a JWT, and send it on every request to the OmniCon API.

Every API call except POST /api/auth/login requires a JWT bearer token. You get one with your normal OmniCon username and password, then include it on the Authorization header of every subsequent request.

Login

Send a POST to /api/auth/login with your credentials:

POST https://api.omnicon.cloud/api/auth/login
Content-Type: application/json

{
  "username": "you@example.com",
  "password": "your-password"
}

The response contains the token and an expiration:

{
  "token": "eyJhbGciOiJIUzI1NiIs...",
  "expiration": "2036-04-14T00:00:00Z"
}

Tokens currently have a 10-year lifetime. There is no refresh-token flow — when a token expires (or when you rotate it), call /login again.

Using the token

Put the token in an Authorization header on every authenticated call:

GET https://api.omnicon.cloud/api/authors?channelId=...
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

Calls without a valid token return 401 Unauthorized.

Who am I

Once you have a token, GET /api/auth/me returns the authenticated user's profile. Useful for sanity-checking that a token still works.

GET https://api.omnicon.cloud/api/auth/me
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

Scope — what a token can do

Tokens don't carry fine-grained scopes. They identify you, and the API enforces access by looking up your membership on the target organization or channel for each call. That means:

  • You can only touch channels where you have a channel membership (or are in the parent organization).
  • Removing your membership on a channel immediately stops new writes on that channel, even if the token is still technically valid.
  • Changing your password does not invalidate existing tokens — plan token storage accordingly.

Interop with MCP

The API and the MCP server share the same signing key and accept each other's tokens. Most users will never need this — pick the transport that fits the client — but it means an API integration and an MCP client can coexist on a single identity without any extra setup.

Storing tokens safely

  • Never commit a token to source control or paste it into a public channel.
  • For server integrations, keep the token in a secret store (environment variable, key vault, etc.) — not in a config file checked into the repo.
  • For CLI tools, a local config file with restricted permissions (e.g. chmod 600) is fine.
  • Rotate by logging in again and discarding the old token.

Next: Endpoints for the full list of what you can call.

api auth jwt login