Authentication
Methods
| Method | Usage | Header |
|---|---|---|
| JWT | All web UI users (15-min access + 7-day refresh) | Authorization: Bearer <token> |
| API Keys | System integrations and PSAPLink PSAP instances | Authorization: ApiKey <key> |
| SAML/SSO | Optional enterprise SSO (configured per-agency) | via SAML redirect |
JWT Flow
- Access token: 15-minute lifetime
- Refresh token: 7-day lifetime, rotates on use
- Issued at
POST /api/v1/auth/login; refreshed atPOST /api/v1/auth/refresh
API Keys
- SHA-256 hashed in the database — raw key shown exactly once at creation
- Scoped per agency — an API key cannot cross tenant boundaries
- Used by PSAPLink PSAP instances (as
CommandPrincipal) and system integrations
Obtaining a JWT
POST /api/v1/auth/login
Content-Type: application/json
{
"email": "dispatcher@agency.gov",
"password": "your-password"
}
Response:
{
"token": "eyJ...",
"refresh_token": "def50...",
"user": { "id": "uuid", "email": "...", "role": "psap_agent" }
}
Refreshing a Token
POST /api/v1/auth/refresh
Content-Type: application/json
{ "refresh_token": "def50..." }
Creating an API Key
POST /api/v1/api-keys
Authorization: Bearer <jwt>
Content-Type: application/json
{ "name": "CAD Integration", "scopes": ["incidents:write"] }
warning
The raw key is returned only once. Store it immediately.