Authentication API

Secure your API access with OAuth 2.0 and API key authentication methods.

Authentication Methods

API Key Authentication

Simple authentication using API keys for server-to-server communication.

Usage:

Include your API key in the X-API-Key header

curl -X GET https://api.klasstra.com/students \
  -H "X-API-Key: your_api_key_here" \
  -H "Content-Type: application/json"

Pros & Cons:

Advantages:
  • Simple to implement
  • No token expiration
  • Perfect for server apps
Considerations:
  • Less secure than OAuth
  • No granular permissions

OAuth 2.0

Industry-standard authentication with access tokens and refresh tokens.

Usage:

Use Bearer token in Authorization header

curl -X GET https://api.klasstra.com/students \
  -H "Authorization: Bearer your_access_token" \
  -H "Content-Type: application/json"

Pros & Cons:

Advantages:
  • Highly secure
  • Granular permissions
  • Token expiration
  • Industry standard
Considerations:
  • More complex implementation
  • Requires token refresh

Authentication Endpoints

POST

/auth/login

Authenticate user and get access token

Parameters

email(string)Required

User email address

password(string)Required

User password

Response

Success Response (200)
{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "user": {
    "id": 123,
    "email": "user@example.com",
    "name": "John Doe",
    "role": "teacher"
  }
}
Error Response (401)
{
  "error": "invalid_credentials",
  "message": "Invalid email or password"
}
POST

/auth/refresh

Refresh expired access token using refresh token

Parameters

refresh_token(string)Required

Valid refresh token

Response

Success Response (200)
{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600
}
POST

/auth/logout

Invalidate current access token

Parameters

No parameters required

Response

Success Response (200)
{
  "message": "Successfully logged out"
}
GET

/auth/profile

Get current user profile information

Parameters

No parameters required

Response

Success Response (200)
{
  "id": 123,
  "email": "user@example.com",
  "name": "John Doe",
  "role": "teacher",
  "permissions": ["read:students", "write:grades"],
  "institution": {
    "id": 456,
    "name": "Example School"
  }
}

Security Best Practices

API Key Security

  • Store API keys securely (environment variables, not in code)
  • Use HTTPS for all API requests
  • Rotate API keys regularly
  • Monitor API key usage

OAuth 2.0 Security

  • Implement token refresh logic
  • Use secure redirect URIs
  • Validate state parameter
  • Handle token expiration gracefully

Ready to Authenticate?

Now that you understand authentication, explore other API endpoints.

Students APICourses APIAll API Endpoints