Security & Authentication
API Authentication
The API uses Bearer token authentication (stateless). Tokens can be extracted from:
Authorization: Bearer <token>header?access_token=<token>query parameter
Tokens are stored in the ApiToken entity and associated with a User. Each token has scopes and an optional expiration date.
Create tokens via the admin interface under API Tokens.
Web Authentication
The admin interface uses form-based login with:
- CSRF protection
- Login throttling (5 attempts per minute)
- Remember-me (2 weeks)
- Password reset via email
- Email verification on registration
Access Control
| Path | Required Role |
|---|---|
/api/doc |
Public |
/.well-known/* |
Public |
/api/* |
IS_AUTHENTICATED_FULLY (valid API token) |
/login, /register, /verify, /reset-password |
Public |
/account |
IS_AUTHENTICATED_FULLY (logged-in user) |
/admin |
ROLE_ADMIN |
User Roles
ROLE_USER- Default role (all authenticated users)ROLE_ADMIN- Admin interface access
Email Domain Whitelist
Registration can be restricted to specific email domains using the AllowedDomain entity. Managed via the admin interface.