Skip to main content

Authentication API

Cropr uses Google OAuth 2.0 for user authentication and JWT tokens for API authorization.

Endpoints

Login with Google

POST /auth/google

Authenticate using a Google OAuth ID token.

Request Body:

{
  "idToken": "google-oauth-id-token"
}

Response:

{
  "accessToken": "eyJhbGciOiJIUzI1NiIs...",
  "user": {
    "id": 1,
    "email": "user@example.com"
  }
}

JWT Payload Structure:

{
  "sessionId": "uuid-session-id",
  "userId": 1,
  "email": "user@example.com"
}

Using the Token

Include the JWT token in the Authorization header for all authenticated requests:

Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

Session Management

Each login creates a new session that tracks:

  • Session ID — Unique identifier
  • User Agent — Browser/client information
  • IP Address — Client IP

Sessions are validated on every request. If the user agent or IP changes significantly, the session may be invalidated for security.

Token Expiration

JWT tokens have a configurable expiration time. When a token expires, the client receives a 401 Unauthorized response and must re-authenticate.