Authentication & Account Management
JWT authentication flows, token lifecycle, session management, guest users, person management, and health checks.
Authentication & Account Management
Overview
The Nomad Media API uses JWT Bearer tokens for authentication. All authenticated endpoints require a valid access token in the Authorization header:
Authorization: Bearer <your-access-token>Access tokens have a limited lifetime (indicated by ExpirationSeconds in the login response). Use the refresh token to obtain a new access token before the current one expires.
Base Routes
| API | Route Prefix | Description |
|---|---|---|
| Core | /account | Login, registration, password management, email verification |
| Portal | /account | Email availability checks, profile updates, guest user management |
| Admin | /admin/user-session | Session monitoring and status management |
| Core | /ping | Health checks and token validation |
| Core | /person | Person management for facial recognition |
Authentication Flow
Standard Registration & Login
1. POST /account/register - Create a new account
2. POST /account/verify - Verify email with the code sent to user
3. POST /account/login - Authenticate and receive JWT token
4. Use Bearer token for all authenticated requests
5. POST /account/ping - Keep session alive (periodic)
6. POST /account/refresh-token - Get new token before expiration
7. POST /account/logout - End sessionGuest User Flow
1. POST /account/invite-user - Invite guests with content access (authenticated user)
2. POST /account/register-guest - Guest completes registration via invitation
3. POST /account/login - Guest logs in with their credentialsPassword Reset Flow
1. POST /account/forgot-password - Request a password reset code
2. POST /account/reset-password - Submit the code and set a new passwordAccount Statuses
When an account is in a non-standard state, the API returns a LoginStatus value indicating what action is needed:
| Status | Value | Description |
|---|---|---|
TwoFactorSetupRequired | 1 | User must set up two-factor authentication |
TwoFactorCodeRequired | 2 | User must provide a 2FA code |
IsDisabled | 3 | Account is disabled by an administrator |
IsPendingEmailConfirmation | 4 | Email verification is required |
IsPendingNewAccountSignup | 5 | Account registration is incomplete |
IsPendingAccountMigrationSignup | 6 | Account migration is required |
IsPendingNewPassword | 7 | A new password must be set |
IsExpired | 8 | Account has expired |
IsPendingInvitation | 9 | Guest invitation has not been completed |
Session Management
Keeping Sessions Alive
Use POST /account/ping periodically to keep a session active. The response includes a PingStatus:
| Status | Value | Action Required |
|---|---|---|
Normal | 1 | Session is healthy, no action needed |
ChatDisabled | 2 | Chat functionality has been restricted |
AccountExpired | 3 | Redirect user to login, account has expired |
SessionDeactivated | 4 | Session was replaced by a newer login |
Single-Session Enforcement
When enabled, only one active session per user is allowed. If a user logs in from a new device or browser, the previous session is replaced and will return SessionDeactivated on the next ping.
Session Status Management (Admin)
Administrators can manage user sessions via the Admin API:
GET /admin/user-session/{id}- View session detailsPOST /admin/user-session- Change session status (e.g., kick user, restrict chat)
Available session statuses:
| Status | Value | Description |
|---|---|---|
Normal | 1 | Active session with full access |
ChatDisabled | 2 | Chat functionality restricted |
SessionReplaced | 3 | Replaced by newer login |
Deactivated | 4 | Deactivated by administrator |
SharedAccess | 5 | Guest with shared content access |
PendingInvite | 6 | Pending guest invitation |
Expired | 7 | Session expired |
DeletedInvite | 8 | Invitation was revoked |
Token Lifecycle
| Property | Description |
|---|---|
Token | JWT access token for API requests. Include in Authorization: Bearer <token> header. |
RefreshToken | Use with POST /account/refresh-token to obtain a new access token. |
ExpirationSeconds | Duration in seconds until the access token expires. |
Guest User Management
Inviting Guests
Use POST /account/invite-user to invite users as guests with access to specific content:
- Provide an array of email addresses and the
ContentDefinitionIdfor the content to share - Each invited user receives an email with registration instructions
- New guest accounts are created with
PendingInvitationstatus
Removing Guests
Use POST /account/remove-user to revoke a guest's content access:
- Specify the user by
UserIdorEmailsalong with theContentId - The user's sessions are terminated
- If the user has no remaining content access, their account may be expired or removed
Live Channel Sessions (Portal)
GET /user-session/{id} returns the users associated with a live channel:
- Items: Currently online users with active sessions
- RelatedItems: Offline shared-access users (with " (offline)" suffix) and users with pending invitations
- Currently only supports live channel content definitions
Person Management
The person API manages person entities for facial recognition matching:
| Endpoint | Method | Description |
|---|---|---|
/person | POST | Create a new person (name must be unique) |
/person/{id} | GET | Retrieve person details and face match counts |
/person/{id} | PUT | Update a person (currently stubbed) |
/person/{id} | DELETE | Permanently delete a person |
/person/{id}/{faceMatchType} | GET | Get faces by match type (currently stubbed) |
Face Match Types
| Type | Value | Description |
|---|---|---|
Automatch | 1 | Automatically matched by AI with high confidence |
ProbableMatch | 2 | Probable match requiring manual review |
NotMatch | 3 | Reviewed and determined to not match |
ConfirmedMatch | 4 | Manually confirmed as a match |
Blurry | 5 | Too blurry for reliable matching |
Health Checks
| Endpoint | Auth Required | Description |
|---|---|---|
GET /ping | No | Returns "Pong" to confirm API is running |
GET /ping?includeHeaders=true | No | Returns all request headers (debugging) |
GET /ping/auth | Yes | Returns "Pong Auth" to validate Bearer token |
Common Error Responses
| Status Code | Description |
|---|---|
| 400 | Bad Request - Missing or invalid request parameters |
| 401 | Unauthorized - Missing or invalid Bearer token |
| 403 | Forbidden - Account is disabled, expired, or pending |
| 404 | Not Found - Resource not found or authentication failed |