Documentation

API authentication

Authenticating against the Slope API with Cognito JWTs.

How auth works

Slope uses AWS Cognito. Users sign up + sign in via Cognito; tokens are JWTs. The backend verifies the JWT signature on every request using Cognito's JWKS endpoint.

Token lifetime

Access token + ID token: 60 minutes
Refresh token: 30 days

The app SDK refreshes silently when the access token nears expiry. If the refresh token expires or is revoked, the next API call returns 401 and the app redirects to /login.

Internal endpoints

The /internal/* endpoints (used by the Cognito post-confirmation Lambda) use HMAC signing instead of JWT. Only services inside our AWS account can call them.

Programmatic access

For server-to-server calls, sign in via Cognito InitiateAuth (USER_PASSWORD_AUTH flow) using service account credentials. Treat the refresh token as a long-lived secret.

← Back to docs Feedback on this page