Authentication
Get a one-time JWT token
Exchange the current session for a short-lived server-side token used to construct authenticated redirect URLs without exposing the bearer token in the URL.
POST
Get a one-time JWT token
Get a one-time JWT token
Issues a short-lived, opaque server-side token tied to the authenticated customer’s session. The portal uses this token exclusively to build redirect URLs that require the customer to land in an authenticated state on the legacy server-rendered side of Nexudus — for example, when opening a file download or navigating to a server-rendered page from within the React portal. The token is placed in the URL (?t=) and is not the bearer token itself.
This is not an OAuth token-refresh operation. It does not rotate the bearer token or the
refresh_token held by the client. Use POST /api/token
with grant_type=refresh_token to renew an expiring bearer token instead.Authentication
Requires a valid customer bearer token.Request Body
This endpoint accepts no body parameters. Send the request with no body; authentication is established entirely via theAuthorization header.
Response
Returns anActionConfirmation envelope.
true when a server-side token was issued successfully. The component rendering the authenticated link should remain disabled until this is true.The short-lived opaque token string. Append this as the
t query parameter when constructing authenticated redirect URLs, e.g.
/user/login?server=true&t={Value}&redirectUrl=.... null when WasSuccessful is false.HTTP-style status code mirrored in the response body.
200 on success, 500 on failure.Human-readable message. Usually
null on success.Validation or server errors.
null on success.Examples
Successful token refresh
Using the token in a redirect URL
OnceWasSuccessful is true, construct the authenticated URL as follows:
Use Cases
Logging the user into the portal
When you need to authenticate a user and redirect them into the portal (e.g., after completing an e-commerce checkout, verifying an email, or activating a magic link), use this endpoint to obtain a short-lived JWT and redirect the browser to the portal login URL:- Obtain the JWT — call
POST /api/sys/users/token/refreshwith a valid bearer token - Redirect the user — navigate to
:portal_url/login?t=:jwton the Nexudus server URL
redirectUrl to send the user to a specific page after login:
Getting a bearer token for API requests
If you need to make authenticated API calls on behalf of the customer (rather than redirecting them), use the Exchange JWT endpoint (POST /api/sys/users/exchange) instead. It converts a short-lived server-issued JWT into a standard bearer token that can be used in the Authorization header for subsequent API requests. See Exchange JWT for details.
TypeScript Integration
Usage in Portal
| Context | Source file |
|---|---|
| Authenticated redirect links (e.g. file downloads, PDF views) | src/components/AuthenticatedLink.tsx |
Error Responses
The bearer token is missing, expired, or invalid. The customer must sign in again via
POST /api/token.Related Endpoints
| Method | Endpoint | Description |
|---|---|---|
POST | /api/token | Exchange email and password (or a refresh token) for a new bearer token |
POST | /api/sys/users/exchange | Exchange a server-issued JWT for a bearer token |
GET | /api/auth/media/customer | Obtain a short-lived JWT for accessing protected media files |
Get a one-time JWT token