Tzylo Docs

API Overview

General information about the Tzylo Auth CE HTTP API.

Tzylo Auth CE exposes a REST-style HTTP API for authentication, session management, and OTP-based flows.

All endpoints are designed to be simple, predictable, and easy to integrate with frontend or backend applications.

Base URL

When running locally, the default base URL is:

Base URL
http://localhost:7200

In production, this will be the domain or IP where you host Tzylo Auth CE.

Request Format

All requests use JSON.

Headers
Content-Type: application/json

Protected endpoints require an access token sent using theAuthorization header.

Authorization Header
Authorization: Bearer <access_token>

Authentication Model

Tzylo Auth CE uses a dual-token model:

  • Access Token – Short-lived JWT used for API access
  • Refresh Token – Long-lived token used to issue new access tokens

Refresh tokens are stored as HTTP-only cookies and are not accessible from JavaScript.

Cookies

Some endpoints (login, refresh, logout) use secure cookies to manage refresh tokens.

Your client must allow cookies to be sent with requests.

Fetch / Axios
credentials: "include"

Response Format

Successful responses follow a consistent structure:

Success Response
{
  "success": true,
  "data": { ... }
}

Error responses return a non-2xx HTTP status code and include an error message.

Error Response
{
  "success": false,
  "message": "Invalid credentials"
}

Rate Limiting

Built-in rate limiting is enabled by default to protect against abuse.

If a request is rate-limited, the API responds with HTTP429.

Error Codes

  • 400 – Invalid request or missing fields
  • 401 – Unauthorized or invalid token
  • 403 – Forbidden
  • 404 – Resource not found
  • 429 – Rate limit exceeded
  • 500 – Internal server error

Next Steps

Start with the authentication endpoints to register and log in users.

  • Register a user
  • Log in to obtain tokens
  • Use the access token for protected APIs
  • Refresh tokens when access tokens expire