Authentication

Overview

The Arybit GeoAlterSense™ v2.0 API uses the Arybit account service for identity. All requests must be made over HTTPS. Two patterns are supported:

Browser / web app: Cookie-based session plus optional Bearer token returned from the auth service for API calls.
Server / script / mobile: Bearer token only (obtain a token via the account login flow or a backend that calls the auth API).

Where to sign in

Users sign in at the central Arybit account portal:

Login: https://account.arybit.co.ke/auth/login/
Sign up: https://account.arybit.co.ke/auth/signup/

Browser (cookie + Bearer)

In the web app (https://geo.arybit.co.ke/app), the front end:

Uses credentials: 'include' on fetch so that HttpOnly cookies set by the account domain are sent with requests.
Calls GET https://api.arybit.co.ke/authenticate/users/me with credentials. The response includes the current user, a csrf_token, and an access_token (JWT).
For subsequent calls to the GeoAlterSense API (https://api.arybit.co.ke/geoaltersense), the client sends Authorization: Bearer <access_token> and, when applicable, X-CSRF-TOKEN: <csrf_token> for state-changing requests.

If the user is not authenticated and visits /app, the app redirects to the login page with a redirect_to return URL. The landing page (/) shows Sign In / Start Free Trial and does not redirect.

Example: Get session and token

GET https://api.arybit.co.ke/authenticate/users/me
Accept: application/json
(no Authorization header; cookies sent automatically with credentials: 'include')

Response 200:
{
  "success": true,
  "user": { ... },
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "csrf_token": "263cdee85290f087c20a1f257ef47e6e..."
}

Bearer token

For server-to-server, scripts, or mobile apps, use the JWT returned as access_token from GET /authenticate/users/me (or from your own backend that performs login and returns a token). Send it on every request to the GeoAlterSense API:

Authorization: Bearer <your_jwt_token>

Replace <your_jwt_token> with the actual token. Do not send the token in query parameters or in non-HTTPS requests.

Request headers

Use these headers when calling the geospatial API:

Header	Required	Description
`Authorization`	Yes (protected endpoints)	`Bearer <access_token>`
`Accept`	Recommended	`application/json`
`Content-Type`	For JSON body	`application/json` or `multipart/form-data` for submit endpoints
`X-CSRF-TOKEN`	When required by server	CSRF token from `/users/me` response (browser flows)
`X-Requested-With`	Optional	`XMLHttpRequest` for AJAX-style requests

Errors

401 Unauthorized — Invalid or expired token, or no session. In the browser app, unauthenticated access to /app redirects to login.
403 Forbidden — Valid auth but not allowed to perform the action.

Always use HTTPS and keep tokens and cookies secure; do not expose the Bearer token in client-side code that can be inspected by third parties if you need to protect a secret (prefer a backend proxy for sensitive server-side operations).

← Introduction OpenAPI Spec