Authentication
The ColisMove API uses JWT (JSON Web Token) for stateless authentication. After login, you receive an access token and a refresh token.
Token Types
| Token | Lifetime | Purpose |
|---|
| Access Token | 15 minutes | Authenticates API requests |
| Refresh Token | 7 days | Obtains new access tokens |
Authentication Flow
Using the Access Token
Include the access token in the Authorization header of every request:
curl -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..." \
https://api.colismove.com/v1/api/user/me
Refreshing Tokens
When your access token expires (HTTP 401), use the refresh token to get a new pair:
curl -X POST https://api.colismove.com/v1/api/auth/refresh \
-H "Content-Type: application/json" \
-d '{"refreshToken": "your-refresh-token"}'
OAuth2 Login
ColisMove supports social login via:
- Google OAuth2 —
POST /v1/api/auth/oauth2/google
- Apple OAuth2 —
POST /v1/api/auth/oauth2/apple
Both return the same JWT token pair as regular login.
Roles
| Role | Description | Capabilities |
|---|
ROLE_CLIENT | Default user | Browse, book parcels |
ROLE_VERIFIED_USER | KYC approved | Create announcements, carry parcels |
ROLE_ADMIN | Administrator | Manage users, view reports |
ROLE_SUPERADMIN | Super administrator | Full platform control, audit logs |
Logout
To invalidate your tokens:
curl -X POST https://api.colismove.com/v1/api/auth/logout \
-H "Authorization: Bearer {accessToken}" \
-H "Content-Type: application/json" \
-d '{"refreshToken": "your-refresh-token"}'
After logout, both the access token and refresh token are blacklisted and cannot be reused.
