Skip to main content

Authentication

The WebberStop REST API uses JSON Web Tokens (JWT) for authentication. You exchange your portal email and password for a token, then send that token on every subsequent request.

Obtain a token

POST /login
Content-Type: application/json

{
  "email": "you@yourcompany.com",
  "password": "your-portal-password"
}

Successful response:

{
  "token": "eyJhbGciOiJIUzI1NiIs...",
  "user": {
    "id": "u_abc123",
    "email": "you@yourcompany.com",
    "role": "Administrator"
  },
  "mfaRequired": false
}

If your account has MFA enabled, mfaRequired will be true and the token returned is a pre-MFA token, valid only for the MFA endpoints below.

Curl example

TOKEN=$(curl -s https://portal.webberstop.com/backend/api/login \
  -H "Content-Type: application/json" \
  -d '{"email":"you@yourcompany.com","password":"your-password"}' \
  | jq -r '.token')

echo "$TOKEN"

Handle MFA

If MFA is enabled on your account:

POST /mfa/send-otp
Authorization: Bearer <pre-mfa-token>

This sends a one-time code via your configured channel (email, SMS, or authenticator app, depending on your setup).

Then verify:

POST /mfa/verify-otp
Authorization: Bearer <pre-mfa-token>
Content-Type: application/json

{
  "otp": "123456"
}

The response contains a full-access JWT. Use this token for all subsequent calls.

Use the token

Send the token in the Authorization header on every request:

GET /vpcs
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

Curl example:

curl -s https://portal.webberstop.com/backend/api/vpcs \
  -H "Authorization: Bearer $TOKEN"

Token lifetime

JWTs issued by /login are valid for 8 hours. After that you must log in again to get a fresh token.

For automation that runs longer than 8 hours, your script should refresh the token before it expires. A simple pattern:

get_token() {
  curl -s https://portal.webberstop.com/backend/api/login \
    -H "Content-Type: application/json" \
    -d "{\"email\":\"$WSI_EMAIL\",\"password\":\"$WSI_PASSWORD\"}" \
    | jq -r '.token'
}

TOKEN=$(get_token)
TOKEN_EXPIRY=$(($(date +%s) + 7 * 3600))  # refresh 1 hour before 8h expiry

call_api() {
  if [ $(date +%s) -gt $TOKEN_EXPIRY ]; then
    TOKEN=$(get_token)
    TOKEN_EXPIRY=$(($(date +%s) + 7 * 3600))
  fi
  curl -s -H "Authorization: Bearer $TOKEN" "$@"
}

Reset a forgotten password

POST /reset-password
Content-Type: application/json

{
  "email": "you@yourcompany.com"
}

This sends a reset link to your email. The link contains a token; complete the reset with:

POST /reset-password/{RESET_PASSWORD_TOKEN}
Content-Type: application/json

{
  "password": "your-new-password"
}

Manage MFA

Enable Keycloak-based MFA:

POST /admin/mfa/disable/keycloak

(See the Swagger reference for the full set of MFA endpoints.)

Security notes

  • Treat the JWT like a password. Never commit it to source control, never log it, never share it.
  • Use environment variables or a secret manager (HashiCorp Vault, AWS Secrets Manager, Doppler) to store portal credentials in CI/CD.
  • Rotate the password used by automation accounts regularly.
  • Create a separate portal user for each automation system so you can revoke access independently.
  • All API traffic must use HTTPS. We reject plain HTTP.