API for managing tokens

Endpoints for generating and invalidating tokens, and managing token timeout configuration.

• Generate a new token : POST /api2/tokens anyone
• Invalidate a token (logout) : DELETE /api2/tokens viewer
• Get token timeout configuration : GET /api2/token/timeout admin
• Set token timeout configuration : PUT /api2/token/timeout admin

Generate a new token

POST /api2/tokens

Request json structure

{
    "username":"denis",
    "password":"Qwerty123"
}

Response json structure

{
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1NjUzNDMwODksImhvc3RuYW1lIjoiIiwibmJmIjoxNTY1MjU2Njg5LCJwYXNzd29yZCI6IlF3ZXJ0eTEyMyIsInBvcnQiOiIwIiwicm9sZSI6ImFkbWluIiwic2VjcmV0IjoiIiwidXNlcm5hbWUiOiJkZW5pcyJ9.KpPHV_j3ZZKJNDAxSJEf8rkibGcOfEpGszcay1VUMsc",
    "role": "admin",
    "id": 21,
    "source": "local"
}

Invalidate all user tokens (logout)

DELETE /api2/tokens

Invalidates all active tokens for the authenticated user, effectively logging them out from all sessions/devices. Once invalidated, the tokens cannot be used for further API requests.

Request headers

Authorization: Bearer <your-token>

Response json structure

{
    "message": "All tokens invalidated successfully"
}

Note: If the user has no tracked tokens, the response will be:

{
    "message": "Logged out successfully"
}

Error responses

If the Authorization header is missing:

{
    "statusCode": 400,
    "error": "Bad Request",
    "message": "Authorization header is required"
}

Get token timeout configuration

GET /api2/token/timeout

Retrieves the current global token timeout configuration. This setting determines the expiration time (in seconds) for all newly generated tokens.

Required Role: admin

Request headers

Authorization: Bearer <your-token>

Response json structure

{
    "timeout_seconds": 86400
}

Error responses

If authentication fails:

{
    "statusCode": 401,
    "error": "Unauthorized",
    "message": "Invalid or expired token"
}

Set token timeout configuration

PUT /api2/token/timeout

Configures the global token timeout setting. This determines how long (in seconds) newly generated tokens will remain valid before expiring. The setting is persisted and survives restarts.

Required Role: admin

Request headers

Authorization: Bearer <your-token>
Content-Type: application/json

Request json structure

{
    "timeout_seconds": 172800
}

Valid range: 600 to 2592000 seconds (10 minutes to 30 days)

Response json structure

{
    "statusCode": 200,
    "message": "Successfully updated the token timeout."
}

Error responses

If the timeout value is out of range:

{
    "statusCode": 400,
    "error": "Bad Request",
    "message": "Timeout must be between 600 and 2592000 seconds"
}

If the user doesn't have admin privileges:

{
    "statusCode": 403,
    "error": "Forbidden",
    "message": "Admin role required"
}

Notes

• This is a system-wide setting that affects all newly generated tokens
• Existing tokens are not affected by changes to this setting
• The default timeout is 86400 seconds (24 hours) if not configured
• The configuration is persisted to /data/config/token_timeout

Back to X2-SERIES API Home