🔐 User Resource

Authentication and session management

Authentication and authorization management for secure 7G API access. Provides user credential validation, JWT access token generation, refresh token workflows, and session lifecycle management with audit trails.

2
Endpoints
JWT
Token Standard
Secure
Authentication
Audit
Trail Support

Usage Notes

When

  • Authenticate and obtain access tokens
  • Refresh tokens before expiration
  • Establish API session

Requirements

  • Valid credentials for Login
  • Valid refresh token for RefreshToken

Notes

  • Only 3 endpoints are anonymous: /user/login, /common/lookup, and /common/HealthCheck. All others require a valid access token.
  • /user/refreshToken is not anonymous — it still reads the (possibly expired) access token from the Authorization header.
  • Access tokens expire 20 minutes after issue (configurable per environment via JwtSettings:ExpireMinutes).
  • SDK auto-refreshes tokens 30 seconds before expiration via EnsureValidTokenAsync().
  • JWT-based authentication with separate access and refresh tokens; both rotate on successful refresh.

Description

User handles authentication and session management. Login to obtain access and refresh tokens. Use RefreshToken to extend sessions without re-authentication.

Available Endpoints

Authentication Services

POST Login Authenticate with JWT tokens and audit trail generation
POST RefreshToken Extend session with automatic cleanup and concurrent support

Core Data Transfer Objects

LoginRequest Login POST endpoint Authentication credentials (2 properties): Username and Password
TokenResponse Login and RefreshToken responses JWT authentication response (2 properties): AccessToken and RefreshToken 
public class TokenResponse
{
    public string AccessToken { get; set; }
    public string RefreshToken { get; set; }
}
RefreshTokenRequest RefreshToken POST endpoint Token refresh request (1 property): RefreshToken for session extension

Authentication Workflow & SDK Pattern

The SDK AuthClient manages authentication with automatic token refresh, ensuring continuous API access without manual token management or user interruption.

SDK Automatic Token Refresh

The SDK's EnsureValidTokenAsync() method automatically refreshes access tokens 30 seconds before expiration. All resource clients call this method before each request, enabling long-running sessions without manual refresh logic.

Business Rules & Constraints

Authentication & Access Control

  • Access token requirement: All API endpoints require a valid JWT access token. The only anonymous endpoints are /user/login, /common/lookup, and /common/HealthCheck.
  • /user/refreshToken requires the existing (possibly expired) access token in the Authorization header — it is not anonymous.
  • Token lifespan: access tokens expire after 20 minutes (configurable via JwtSettings:ExpireMinutes); refresh proactively to maintain continuous operations.
  • Security monitoring: Failed authentication attempts tracked with audit trails and threat detection.

Session & Token Lifecycle

  • Session extension: Refresh tokens provide session extension without credential re-entry or user interruption
  • Token expiration enforcement: Token expiration policies maintained to balance security requirements with operational user experience
  • Automatic cleanup: Session lifecycle includes automated cleanup and token invalidation upon expiration or logout
  • Concurrent session management: Support for multiple concurrent sessions with token tracking and selective invalidation

Security & Audit

  • JWT implementation: JWT token implementation with secure signing and encryption
  • Audit trail generation: Authentication and session management audit trails maintained for compliance reporting
  • Identity provider integration: Authentication endpoints support integration with identity providers and SSO systems