The Tarefy API uses JWT Bearer Token. Every protected endpoint requires the header:
Authorization: Bearer YOUR_JWT
Get a token
Use POST /v2/auth/login:
curl -X POST https://app.tarefy.com/nodeapi/v2/auth/login \
-H "Content-Type: application/json" \
-d '{
"email": "your-email@company.com",
"password": "your-password"
}'
Response:
{
"token": "eyJhbGciOiJIUzI1NiIs...",
"user": {
"id": 123,
"nome": "Your Name",
"email": "your-email@company.com",
"id_conta": 42
}
}
Expiration
Tarefy JWT tokens expire in 24 hours. When they expire, you receive:
HTTP/1.1 401 Unauthorized
{
"message": "Unauthorized"
}
Just call /auth/login again to get a new token.
Best practices
Never expose your token in client-side code, public repositories or logs. Anyone with the token has full account access.
- Store tokens in a secure environment (env vars, secret manager, httpOnly cookie)
- Use one token per integration when possible — easier to revoke
- Rotate if you suspect a leak (just change the user’s password)
Persistent API tokens (coming soon)
Currently only session JWT tokens (24h) are supported. Persistent scoped API tokens are on the roadmap.
Common errors
| Status | Message | Cause |
|---|
| 401 | Unauthorized | Missing, malformed or expired token |
| 401 | Invalid token | Token signed with a different JWT secret |
| 402 | Payment required | Account plan expired or Stripe overdue |
| 403 | Forbidden | Valid token but insufficient permission |