Authentication
Doxtly provides a REST API built with API Platform. All API requests require authentication.
Authentication Methods
Section titled “Authentication Methods”JWT Token (User Authentication)
Section titled “JWT Token (User Authentication)”For user-based authentication, obtain a JWT token by sending credentials to the login endpoint:
curl -X POST https://api.yourcompany.doxtly.com/api/auth/login \ -H "Content-Type: application/json" \ -d '{ "email": "user@example.com", "password": "your-password" }'Response:
{ "token": "eyJhbGciOiJSUzI1NiIs...", "refreshToken": "abc123..."}Use the token in subsequent requests:
curl https://api.yourcompany.doxtly.com/api/documents \ -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIs..."Access Keys (API Authentication)
Section titled “Access Keys (API Authentication)”For server-to-server integrations, use access keys. Create an access key in Settings → API Keys.
curl https://api.yourcompany.doxtly.com/api/documents \ -H "X-Access-Key: your-access-key-here"Access keys are scoped to your organization and inherit the permissions of the user who created them.
Two-Factor Authentication
Section titled “Two-Factor Authentication”If two-factor authentication is enabled for a user account (Starter+ plans), the login flow includes an additional step:
- Send credentials to
/api/auth/login - If 2FA is required, you receive a challenge response
- Send the TOTP code to
/api/auth/verify-2fa - Receive the JWT token
# Step 1: Logincurl -X POST https://api.yourcompany.doxtly.com/api/auth/login \ -H "Content-Type: application/json" \ -d '{"email": "user@example.com", "password": "password"}'
# Response: {"twoFactorRequired": true, "challengeToken": "..."}
# Step 2: Verify 2FAcurl -X POST https://api.yourcompany.doxtly.com/api/auth/verify-2fa \ -H "Content-Type: application/json" \ -d '{"challengeToken": "...", "code": "123456"}'
# Response: {"token": "eyJ...", "refreshToken": "..."}Token Refresh
Section titled “Token Refresh”JWT tokens expire after a configured period. Use the refresh token to obtain a new access token:
curl -X POST https://api.yourcompany.doxtly.com/api/auth/refresh \ -H "Content-Type: application/json" \ -d '{"refreshToken": "abc123..."}'Social Authentication
Section titled “Social Authentication”Doxtly also supports OAuth login via:
- Google —
/api/auth/google - Facebook —
/api/auth/facebook
These are primarily used by the web application and redirect-based flows.
Rate Limiting
Section titled “Rate Limiting”API requests are rate-limited to prevent abuse. Current limits:
- 100 requests per minute per access key
- 200 requests per minute per authenticated user
Rate limit headers are included in every response:
X-RateLimit-Limit: 100X-RateLimit-Remaining: 95X-RateLimit-Reset: 1714060800