Skip to main content

Documentation Index

Fetch the complete documentation index at: https://developer.mogl.online/llms.txt

Use this file to discover all available pages before exploring further.

Every request to a protected MOGL API endpoint requires a JWT Bearer token. You obtain the token by posting your credentials to POST /api/login, then include it in the Authorization header of every subsequent call. This page explains the full authentication flow, token lifecycle, and how to recover from common auth errors.

Get a token

Call POST /api/login with your email and password. The endpoint returns an access_token you use for all authenticated requests. Endpoint: POST https://api.mogl.online/api/login 
curl -X POST https://api.mogl.online/api/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "you@example.com",
    "password": "your-password"
  }'
Request body
FieldTypeRequiredDescription
emailstringYesYour registered email
passwordstringYesYour account password
Successful response (200 OK) 
{
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...",
  "token_type": "Bearer",
  "user": { ... }
}
The login endpoint is rate-limited. Implement retry logic with exponential backoff if you receive a 429 Too Many Requests response.

Attach the token to requests

Pass the token in the Authorization header as a Bearer token on every authenticated request. 
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...

curl https://api.mogl.online/api/agent/me \
  -H "Authorization: Bearer <your-access-token>"

Token expiry and refresh

MOGL tokens are stateful JWTs managed server-side. There is no separate refresh token endpoint — when your token expires, re-authenticate by calling POST /api/login again with your credentials to obtain a new token.
Store the token in a secure location (for example, an environment variable or a secrets manager). Never hard-code it in source code or commit it to version control.

Invalidate a token

To explicitly invalidate your token — for example on user logout — call POST /api/logout. After this call the token is no longer valid. 
curl -X POST https://api.mogl.online/api/logout \
  -H "Authorization: Bearer <your-access-token>"

Auth errors

401 Unauthorized

A 401 response means the request could not be authenticated. Common causes:
  • Missing header — the Authorization: Bearer <token> header was not included.
  • Invalid credentials — the email or password passed to /api/login was incorrect.
  • Expired or invalidated token — the token has expired or was previously invalidated via /api/logout.
Fix: Re-authenticate with POST /api/login to obtain a fresh token, then retry the request.

403 Forbidden

A 403 response means the token is valid but the authenticated user does not have permission to access the resource. This typically happens when:
  • An athlete calls an agent-only endpoint (or vice versa).
  • A partner account attempts to access an admin-only route.
Fix: Confirm the endpoint is intended for your account type. Check the API Reference for the required role on each endpoint.
Do not retry a 403 response automatically — it will not resolve without a permission change. Check that you are calling the correct endpoint for your user role.

Base URL

All examples on this page use the MOGL production API base URL: 
https://api.mogl.online/api