TWIN Supply Chain Docs
API

Authentication

How to authenticate requests to a TWIN supply-chain node.

Every API call requires two things: a session cookie (obtained by logging in) and an x-api-key (provided by your node operator). Policy endpoints additionally accept a Bearer JWT extracted from the cookie.

CredentialWhere it comes fromUsed on
x-api-keyYour node operatorEvery request, including login
Session cookie (access_token)POST /authentication/loginDSC and data endpoints
Bearer JWTExtracted from the session cookiePolicy endpoints

POST /authentication/login

Log in to obtain a session cookie.

Request
POST /authentication/login
Content-Type: application/json
x-api-key: <your-api-key>
Body
{
  "email": "user@example.com",
  "password": "your-password"
}

Response 200

The JWT is delivered via Set-Cookie, not the response body.

Response headers
Set-Cookie: access_token=<jwt>; HttpOnly; Path=/; SameSite=Strict
Response body
{
  "expiry": 1719150000000,
  "identity": "did:entity-storage:0x..."
}

expiry is milliseconds since Unix epoch. identity is the DID of the authenticated user.

Errors

StatusCause
401Wrong email or password
400Missing or malformed field

POST /authentication/login/create

Provisions a new user account on the node. Use this only if your node operator asks you to self-provision — accounts are normally created during onboarding.

Request
POST /authentication/login/create
Content-Type: application/json
x-api-key: <your-api-key>
Body
{
  "email": "user@example.com",
  "password": "your-password",
  "profileName": "Alice",
  "organizationId": "did:entity-storage:0x..."
}
FieldRequiredDescription
emailYesEmail address for the new account
passwordYesPassword
profileNameNoDisplay name
organizationIdNoDID of an existing organisation to join. If omitted, a new organisation is created.

Response 201

Response body
{
  "token": "<jwt>",
  "expiry": 1704067200000,
  "identity": "did:entity-storage:0x...",
  "organizationId": "did:entity-storage:0x...",
  "apiKey": "<your-x-api-key>"
}

apiKey is your x-api-key for subsequent API calls.

Error codes

StatusCause
400Missing or invalid field
401Missing x-api-key header
404organizationId not found in this node
500Email already registered

On this page