Authentication
The Quazzar Space API uses JWT (JSON Web Tokens) for authentication. All authenticated requests require a Bearer token in the Authorization header.
Base URL
https://app.quazzar.spaceAll authentication endpoints are prefixed with /auth.
Login
Authenticate and receive a JWT access token.
POST /auth/login
curl -X POST https://app.quazzar.space/auth/login \
-H "Content-Type: application/json" \
-d '{
"email": "[email protected]",
"password": "your-password"
}'Response (200 OK):
{
"access_token": "eyJhbGciOiJIUzI1NiIs...",
"token_type": "bearer",
"user": {
"id": "550e8400-e29b-41d4-a716-446655440000",
"email": "[email protected]",
"full_name": "Jane Developer",
"is_active": true,
"totp_enabled": false
}
}If the user has TOTP enabled, a valid totp_code field must also be included in the login request body.
Error Responses:
| Status | Description |
|---|---|
401 | Invalid email or password |
403 | Account is deactivated |
422 | Validation error (missing fields) |
Using the Token
Include the JWT token in the Authorization header for all authenticated requests:
curl -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
https://app.quazzar.space/users/meRegistration
Create a new user account.
POST /auth/register
curl -X POST https://app.quazzar.space/auth/register \
-H "Content-Type: application/json" \
-d '{
"email": "[email protected]",
"password": "secure-password-123",
"full_name": "Jane Developer",
"company_name": "Acme Corp"
}'Response (201 Created):
{
"id": "550e8400-e29b-41d4-a716-446655440000",
"email": "[email protected]",
"full_name": "Jane Developer",
"is_active": true,
"created_at": "2026-03-01T12:00:00Z"
}| Status | Description |
|---|---|
409 | Email already registered |
422 | Validation error (weak password, invalid email) |
Logout
Invalidate the current session.
POST /auth/logout
curl -X POST https://app.quazzar.space/auth/logout \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN"Response (200 OK):
{
"message": "Successfully logged out"
}Two-Factor Authentication (TOTP)
Provision TOTP
Enable two-factor authentication for the current user. Returns a secret and QR code for your authenticator app.
POST /auth/totp/provision
curl -X POST https://app.quazzar.space/auth/totp/provision \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN"Response (200 OK):
{
"secret": "JBSWY3DPEHPK3PXP",
"uri": "otpauth://totp/Quazzar:[email protected]?secret=JBSWY3DPEHPK3PXP&issuer=Quazzar",
"qr_code": "data:image/png;base64,iVBOR..."
}Scan the qr_code or enter the secret manually in your authenticator app (Google Authenticator, Authy, 1Password).
Verify TOTP
Confirm TOTP setup by providing a valid code from your authenticator app.
POST /auth/totp/verify
curl -X POST https://app.quazzar.space/auth/totp/verify \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{"code": "123456"}'Response (200 OK):
{
"message": "TOTP successfully enabled",
"backup_codes": ["a1b2c3d4", "e5f6g7h8", "i9j0k1l2", "m3n4o5p6", "q7r8s9t0"]
}Important: Store backup codes securely. They are shown only once and can be used if you lose your authenticator device.
Disable TOTP
DELETE /auth/totp
curl -X DELETE https://app.quazzar.space/auth/totp \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{"code": "123456"}'Password Reset
Request Reset
POST /auth/password-reset/request
curl -X POST https://app.quazzar.space/auth/password-reset/request \
-H "Content-Type: application/json" \
-d '{"email": "[email protected]"}'This endpoint always returns 200 OK regardless of whether the email exists, to prevent account enumeration.
Confirm Reset
POST /auth/password-reset/confirm
curl -X POST https://app.quazzar.space/auth/password-reset/confirm \
-H "Content-Type: application/json" \
-d '{
"token": "reset-token-from-email",
"new_password": "new-secure-password-456"
}'| Status | Description |
|---|---|
400 | Invalid or expired reset token |
422 | New password does not meet requirements |
API Keys
For programmatic and CI/CD access, create API keys from your profile settings at Profile > API Keys in the Quazzar Space dashboard.
API keys are sent using the same Authorization header as JWT tokens:
curl -H "Authorization: Bearer YOUR_API_KEY" \
https://app.quazzar.space/projectsAPI keys do not expire automatically but can be revoked at any time from the dashboard. Each key can be scoped to specific projects.
Current User
Get Profile
GET /users/me
curl -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
https://app.quazzar.space/users/meResponse (200 OK):
{
"id": "550e8400-e29b-41d4-a716-446655440000",
"email": "[email protected]",
"full_name": "Jane Developer",
"company_name": "Acme Corp",
"phone": "+1-555-0100",
"is_active": true,
"totp_enabled": true,
"created_at": "2026-01-15T08:30:00Z"
}Update Profile
PATCH /users/me
curl -X PATCH https://app.quazzar.space/users/me \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{"full_name": "Jane M. Developer", "phone": "+1-555-0200"}'Returns the updated user object.
Rate Limits
| Endpoint | Rate Limit |
|---|---|
POST /auth/login | 10 requests per minute per IP |
POST /auth/register | 5 requests per minute per IP |
POST /auth/password-reset/request | 3 requests per minute per IP |
| All other authenticated endpoints | 120 requests per minute per token |
When rate-limited, the API returns 429 Too Many Requests with a Retry-After header.
Next Steps
- Projects API — Create and manage projects
- Services API — Register and query services
- Billing API — Manage subscriptions and payments