POST /authorize

Sends API-user credentials and returns a bearer token. The token is opaque — your application stores it as a string and replays it as a header on every subsequent call. Treat it like a session cookie: don’t log it, don’t share it, and reissue when it expires.

Endpoint

POST /api/v1/authorize

Headers

Header	Value
`Content-Type`	`application/json`

No Authorization header on this call — this is how you obtain one.

Request body

{
  "username": "abcdef12-3456-7890-abcd-ef1234567890@api.rebelcore.local",
  "password": "<48-character password from the portal>"
}

Field	Type	Required	Notes
`username`	string	yes	The synthetic email shown in the portal when the API user was created.
`password`	string	yes	The 48-character password shown once at creation.

Both values come from the API User dialog in the portal. See API users for the provisioning flow.

Successful response

200 OK

{
  "token": "AT1...<opaque base64url string>...",
  "expires_at": 1746838800,
  "token_type": "Bearer"
}

Field	Type	Notes
`token`	string	Bearer token. Reuse it for `/api/v1/infer` calls.
`expires_at`	integer	Unix timestamp (seconds, UTC) when the token stops working. Always 24 hours after the call.
`token_type`	string	Always `"Bearer"`. Use it as the `Authorization` scheme.

The token is a single string with no internal structure your application should parse. Treat it as opaque.

Errors

Status	Body	When
`401`	`{ "detail": "invalid credentials" }`	Wrong username, wrong password, the user is not an API user, or the user is inactive. The API does not distinguish these cases by response — fix the credentials and retry.
`400`	validation error	The request body is missing a field or has the wrong type.

Token lifetime

Duration: 24 hours from issue.
Renewal: there is no refresh token. When a call returns 401 token expired, call /authorize again with the same credentials and continue.
Revocation: tokens are stateless and cannot be revoked individually. To lock an API user out, deactivate them in the portal — the next /authorize call will fail. In-flight tokens keep working until their natural expiry.

Example

curl

curl https://api.rebelcore.ai/api/v1/authorize \
  -H "Content-Type: application/json" \
  -d '{
    "username": "abcdef12-3456-7890-abcd-ef1234567890@api.rebelcore.local",
    "password": "your-48-character-password-here"
  }'

Python (httpx)

import httpx

with httpx.Client() as client:
    r = client.post(
        "https://api.rebelcore.ai/api/v1/authorize",
        json={
            "username": "abcdef12-3456-7890-abcd-ef1234567890@api.rebelcore.local",
            "password": "your-48-character-password-here",
        },
    )
    r.raise_for_status()
    token = r.json()["token"]

Node.js (fetch)

const r = await fetch("https://api.rebelcore.ai/api/v1/authorize", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({
    username: "abcdef12-3456-7890-abcd-ef1234567890@api.rebelcore.local",
    password: "your-48-character-password-here",
  }),
});
const { token } = await r.json();

Postman setup

If you’re testing with Postman, set this in the Tests tab of the /authorize request so the token is automatically captured into a collection variable:

const json = pm.response.json();
pm.collectionVariables.set("token", json.token);

Subsequent requests can then reference {{token}} in their Authorization header. See the /api/v1/infer page for how that header is used.

POST /api/v1/infer — use the token to run inference.