Authentication
Monetro uses a dual-token JWT system for secure API access.
Token Types
| Token | Lifetime | Storage | Purpose |
|---|---|---|---|
| Access Token | 15 minutes | Authorization header | API authentication |
| Refresh Token | 7 days | httpOnly cookie | Silent token renewal |
Login
POST /api/auth/login
{
"email": "[email protected]",
"password": "your-secure-password"
}
Response:
{
"token": "eyJhbGciOiJIUzI1NiIs...",
"user": {
"id": "550e8400-e29b-41d4-a716-446655440000",
"email": "[email protected]",
"name": "Max Mustermann",
"role": "admin",
"tenantId": "tenant-uuid"
}
}
Using the Token
curl https://app.monetro.at/api/customers \
-H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..."
Token Refresh
When the access token expires:
POST /api/auth/refresh
No body needed — refresh token is sent via httpOnly cookie. Returns a new access token.
Roles
| Role | Permissions |
|---|---|
admin | Full access — settings, billing, user management |
manager | Create/edit invoices, customers, team management |
member | View/create invoices, basic operations |
viewer | Read-only access to invoices and reports |
Two-Factor Authentication
Monetro supports multiple 2FA methods:
- TOTP — Time-based codes via authenticator apps
- WebAuthn / Passkeys — FIDO2 hardware keys and platform authenticators
- Biometric — Fingerprint / Face ID on iOS and Android
Account Lockout
After 5 failed login attempts, the account is locked for 5 minutes. Lockout duration increases progressively with repeated failures.
Data Encryption
| Data | Method |
|---|---|
| IBAN, BIC | AES-256-GCM |
| OAuth tokens, API keys | AES-256-GCM |
| Customer names, addresses | AES-256-GCM |
| Email lookups | HMAC-SHA256 (searchable hash) |