Public API
This endpoint is publicly accessible. No authentication required.
Authentication Overview
The Olympus Cloud Auth Service provides secure authentication and authorization for all platform operations.
Authentication Methods
| Method | Use Case | Description |
|---|---|---|
| Email/Password | Web, Mobile | Standard credential login |
| PIN Login | Staff POS | Quick 4-6 digit PIN for staff |
| OAuth/SSO | Enterprise | Google, Apple, SAML providers |
| API Key | Integrations | Server-to-server authentication |
| Firebase Exchange | Mobile Apps | Firebase token exchange |
JWT Token Structure
Access tokens are RS256-signed JWTs with the following claims:
{
"sub": "user_abc123",
"tenant_id": "tenant_xyz",
"roles": ["admin", "manager"],
"permissions": ["orders:read", "orders:write"],
"session_id": "sess_123",
"iat": 1704067200,
"exp": 1704070800,
"iss": "olympus-auth",
"aud": "olympus-api"
}
Token Lifecycle
Endpoints
| Endpoint | Method | Description |
|---|---|---|
/auth/login | POST | Email/password login |
/auth/login/pin | POST | Staff PIN login |
/auth/refresh | POST | Refresh access token |
/auth/logout | POST | Invalidate session |
/auth/validate | GET | Validate current token |
Quick Start
Login
curl -X POST https://api.olympuscloud.ai/auth/login \
-H "Content-Type: application/json" \
-d '{
"email": "user@example.com",
"password": "your-password"
}'
Response:
{
"access_token": "eyJhbGciOiJSUzI1NiIs...",
"refresh_token": "rt_abc123...",
"expires_in": 3600,
"token_type": "Bearer"
}
Validate Token
curl -X GET https://api.olympuscloud.ai/auth/validate \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN"
Security Best Practices
HTTPS Required
All authentication endpoints require HTTPS. HTTP requests will be rejected. Ensure your application is configured to use TLS for all API communication.
- Store tokens securely - Use secure storage, never local storage for web
- Refresh proactively - Refresh tokens before expiry
- Use HTTPS only - All requests must use TLS
- Implement MFA - Enable MFA for admin accounts
- Rotate API keys - Rotate integration keys regularly