Skip to main content
The Tarefy API uses JWT Bearer Token. Every protected endpoint requires the header:
Authorization: Bearer YOUR_JWT

Get a token

Use POST /v2/auth/login:
curl -X POST https://app.tarefy.com/nodeapi/v2/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "your-email@company.com",
    "password": "your-password"
  }'
Response:
{
  "token": "eyJhbGciOiJIUzI1NiIs...",
  "user": {
    "id": 123,
    "nome": "Your Name",
    "email": "your-email@company.com",
    "id_conta": 42
  }
}

Expiration

Tarefy JWT tokens expire in 24 hours. When they expire, you receive:
HTTP/1.1 401 Unauthorized
{
  "message": "Unauthorized"
}
Just call /auth/login again to get a new token.

Best practices

Never expose your token in client-side code, public repositories or logs. Anyone with the token has full account access.
  • Store tokens in a secure environment (env vars, secret manager, httpOnly cookie)
  • Use one token per integration when possible — easier to revoke
  • Rotate if you suspect a leak (just change the user’s password)

Persistent API tokens (coming soon)

Currently only session JWT tokens (24h) are supported. Persistent scoped API tokens are on the roadmap.

Common errors

StatusMessageCause
401UnauthorizedMissing, malformed or expired token
401Invalid tokenToken signed with a different JWT secret
402Payment requiredAccount plan expired or Stripe overdue
403ForbiddenValid token but insufficient permission