> ## Documentation Index
> Fetch the complete documentation index at: https://developer.mogl.online/llms.txt
> Use this file to discover all available pages before exploring further.

# MOGL Core API Authentication: Get and Use JWT Tokens

> Learn how to obtain a JWT Bearer token via POST /api/login, attach it to requests, handle token expiry, and resolve 401 and 403 errors.

Every request to a protected MOGL API endpoint requires a JWT Bearer token. You obtain the token by posting your credentials to `POST /api/login`, then include it in the `Authorization` header of every subsequent call. This page explains the full authentication flow, token lifecycle, and how to recover from common auth errors.

## Get a token

Call `POST /api/login` with your email and password. The endpoint returns an `access_token` you use for all authenticated requests.

**Endpoint:** `POST https://api.mogl.online/api/login`

<CodeGroup>
  ```bash curl theme={"dark"}
  curl -X POST https://api.mogl.online/api/login \
    -H "Content-Type: application/json" \
    -d '{
      "email": "you@example.com",
      "password": "your-password"
    }'
  ```

  ```javascript JavaScript theme={"dark"}
  const response = await fetch('https://api.mogl.online/api/login', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({
      email: 'you@example.com',
      password: 'your-password',
    }),
  });

  const { access_token } = await response.json();
  ```

  ```python Python theme={"dark"}
  import requests

  resp = requests.post(
      'https://api.mogl.online/api/login',
      json={'email': 'you@example.com', 'password': 'your-password'},
  )
  access_token = resp.json()['access_token']
  ```
</CodeGroup>

**Request body**

| Field      | Type   | Required | Description           |
| ---------- | ------ | -------- | --------------------- |
| `email`    | string | Yes      | Your registered email |
| `password` | string | Yes      | Your account password |

**Successful response (`200 OK`)**

```json theme={"dark"}
{
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...",
  "token_type": "Bearer",
  "user": { ... }
}
```

<Note>
  The login endpoint is rate-limited. Implement retry logic with exponential backoff if you receive a `429 Too Many Requests` response.
</Note>

## Attach the token to requests

Pass the token in the `Authorization` header as a Bearer token on every authenticated request.

```bash theme={"dark"}
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...
```

<CodeGroup>
  ```bash curl theme={"dark"}
  curl https://api.mogl.online/api/agent/me \
    -H "Authorization: Bearer <your-access-token>"
  ```

  ```javascript JavaScript theme={"dark"}
  const response = await fetch('https://api.mogl.online/api/agent/me', {
    headers: {
      Authorization: `Bearer ${access_token}`,
    },
  });
  ```

  ```python Python theme={"dark"}
  resp = requests.get(
      'https://api.mogl.online/api/agent/me',
      headers={'Authorization': f'Bearer {access_token}'},
  )
  ```
</CodeGroup>

## Token expiry and refresh

MOGL tokens are stateful JWTs managed server-side. There is no separate refresh token endpoint — when your token expires, re-authenticate by calling `POST /api/login` again with your credentials to obtain a new token.

<Tip>
  Store the token in a secure location (for example, an environment variable or a secrets manager). Never hard-code it in source code or commit it to version control.
</Tip>

### Invalidate a token

To explicitly invalidate your token — for example on user logout — call `POST /api/logout`. After this call the token is no longer valid.

```bash theme={"dark"}
curl -X POST https://api.mogl.online/api/logout \
  -H "Authorization: Bearer <your-access-token>"
```

## Auth errors

### 401 Unauthorized

A `401` response means the request could not be authenticated. Common causes:

* **Missing header** — the `Authorization: Bearer <token>` header was not included.
* **Invalid credentials** — the email or password passed to `/api/login` was incorrect.
* **Expired or invalidated token** — the token has expired or was previously invalidated via `/api/logout`.

**Fix:** Re-authenticate with `POST /api/login` to obtain a fresh token, then retry the request.

### 403 Forbidden

A `403` response means the token is valid but the authenticated user does not have permission to access the resource. This typically happens when:

* An athlete calls an agent-only endpoint (or vice versa).
* A partner account attempts to access an admin-only route.

**Fix:** Confirm the endpoint is intended for your account type. Check the [API Reference](/api-reference/core-api) for the required role on each endpoint.

<Warning>
  Do not retry a `403` response automatically — it will not resolve without a permission change. Check that you are calling the correct endpoint for your user role.
</Warning>

## Base URL

All examples on this page use the MOGL production API base URL:

```
https://api.mogl.online/api
```
