Febasi Docs

Auth API

A multi-tenant, modular authentication and authorization service powering the Febasi ecosystem.

The Febasi Auth API is the centralized identity service for every Febasi product. It owns users, sessions, roles, permissions, tenants, and the machine-to-machine credentials that connect them.

It is multi-tenant by design, modular by architecture, and already in production at:

https://auth.febasi.com.br/api/v1

What it gives you

Multi-tenant identity

Logical (row-level) and physical (per-tenant database) isolation, with tenant-aware routing and encrypted connection strings.

Authentication

Email, username, or CPF/CNPJ + password login. JWT access tokens with refresh-token rotation and atomic session limits.

Hierarchical RBAC

Roles with levels 1–100, scope:action permissions, role-based and direct grants, expiration dates on both.

Client Keys

Service-to-service API keys with scoped permissions, usage logs, and revocation.

Per-tenant JWT secrets

Each tenant can mint its own JWT secret with safe rotation — old tokens keep working until the previous secret expires.

Audit & security

Every meaningful event is logged. Built-in security metrics catch brute-force patterns out of the box.

Built-in conventions

  • Versioned URLs. Every endpoint lives under /api/v1/.... Breaking changes ship as /api/v2/..., never as a silent change to v1.

  • Standard JSON envelope. Every response — success or error — wraps its payload the same way:

    { "success": true, "data": { "..." : "..." } }
{ "success": false, "error": "Human message", "code": "MACHINE_CODE" }

  • One identifier from any of three. Users authenticate with email, username, or cpf_cnpj — whichever the tenant chose to enable.

  • Bcrypt 12 rounds for password hashing (OWASP 2025 baseline).

  • HS256 JWTs with per-tenant secrets where configured, with safe rotation.

Pick your path

Get started in 5 minutes

Run a login, get an access token, and call /me. The fastest path to a "yes, it works."

Walk through a login flow

The full request/response anatomy of POST /login, including the rare edge cases.

See every endpoint

The complete API surface, grouped by module, with required permissions.

Production base URL

EnvironmentBase URL
Productionhttps://auth.febasi.com.br/api/v1
Local devhttp://localhost:3001/api/v1

The interactive Swagger UI is published at /docs on the production host and ships the same OpenAPI 3.1 spec used to generate the Postman collection that lives with the service repository.

Getting started

Authenticate against the Febasi Auth API in five minutes — log in, hold an access token, call /me.

On this page

What it gives youBuilt-in conventionsPick your pathProduction base URL