Tokens & Sessions

On successful login the IDP returns LoginResponseDto:

{
  "accessToken": "…",
  "refreshToken": "…",
  "jti": "…",
  "user": { /* profile */ }
}

When MFA is required it returns MfaChallengeDto:

{
  "mfaRequired": true,
  "challengeId": "…"
}

Refresh

There are two supported refresh paths; web clients should prefer the cookie-backed flow:

POST /auth/refresh with no body, withCredentials: true, and X-XSRF-Token header
IDP reads idp_rt/idp_jti cookies, rotates them, and returns { accessToken } (and jti)

2. Body Payload (Legacy / Non-browser)

POST /auth/refresh with { jti, refreshToken } in the body

Logout

POST /auth/logout revokes the active session by jti and clears cookies:

idp_rt=; HttpOnly; Secure; SameSite=None; Path=/api/auth; Max-Age=0
idp_jti=; HttpOnly; Secure; SameSite=None; Path=/api/auth; Max-Age=0
XSRF-TOKEN=; Secure; SameSite=None; Path=/api/auth; Max-Age=0

Session Notifications

The IDP exposes /ws/events for simple realtime notifications like "Logged in successfully".

Login Response​

Refresh​

1. Cookie-backed (Recommended)​

2. Body Payload (Legacy / Non-browser)​

Logout​

Session Notifications​

Login Response

Refresh

1. Cookie-backed (Recommended)

2. Body Payload (Legacy / Non-browser)

Logout

Session Notifications