--- title: "Authentication | DreamFactory Docs" source: "https://docs.dreamfactory.com/api-reference/authentication" canonical_url: "https://docs.dreamfactory.com/api-reference/authentication" converted_at: "2026-04-05T13:52:01.875Z" format: "markdown" converted_by: "html-to-md-ai" --- ## The Two-Credential System[​](#the-two-credential-system) Every DreamFactory request needs **both**: HeaderPurposeWhere to get it`X-DreamFactory-API-Key`Identifies the **app**Admin UI → Apps, or via tinker`X-DreamFactory-Session-Token`Identifies the **logged-in user**Returned by login endpoint The API key alone is enough for some public endpoints. Most operations require both. --- ## Admin Login (System Administrators)[​](#admin-login-system-administrators) ``` POST /api/v2/system/admin/session ``` > > ⚠️ **This is the only correct endpoint for admin users.** The following will NOT work: > > > > - `/api/v2/admin/session` → returns "JWT required" error > > - `/api/v2/user/session` → returns "missing required email" error > > - Any of the above without `X-DreamFactory-API-Key` header > > > > **Required headers:** ``` Content-Type: application/jsonX-DreamFactory-API-Key: ``` **Request body:** ``` { "email": "[email protected]", "password": "yourpassword"} ``` **Full working example:** ``` curl -s -X POST http://your-df-host/api/v2/system/admin/session \ -H "Content-Type: application/json" \ -H "X-DreamFactory-API-Key: YOUR_ADMIN_APP_API_KEY" \ -d '{"email":"[email protected]","password":"yourpassword"}' ``` **Response:** ``` { "session_token": "eyJ0eXAiOiJKV1Qi...", "session_id": "eyJ0eXAiOiJKV1Qi...", "id": 1, "name": "Admin User", "email": "[email protected]", "is_sys_admin": true, "last_login_date": "2026-02-18 19:45:18", "token_expiry_date": "2026-02-19 19:45:18"} ``` Save the `session_token` — use it as `X-DreamFactory-Session-Token` in all subsequent requests. --- ## Regular User Login[​](#regular-user-login) ``` POST /api/v2/user/session ``` Same pattern as admin login. Requires `Content-Type: application/json` and `X-DreamFactory-API-Key`. ``` curl -s -X POST http://your-df-host/api/v2/user/session \ -H "Content-Type: application/json" \ -H "X-DreamFactory-API-Key: YOUR_APP_API_KEY" \ -d '{"email":"[email protected]","password":"yourpassword"}' ``` --- ## Getting the Admin App API Key[​](#getting-the-admin-app-api-key) The `admin` app is created automatically on first setup. Three ways to get its key: **Via artisan tinker (server access):** ``` sudo docker exec -i df-docker-web-1 php artisan tinker <<'EOF'echo \DreamFactory\Core\Models\App::where('name','admin')->first()->api_key;EOF ``` **Via API (once you have a session):** ``` curl -s http://your-df-host/api/v2/system/app \ -H "X-DreamFactory-API-Key: YOUR_KEY" \ -H "X-DreamFactory-Session-Token: YOUR_TOKEN" | python3 -m json.tool ``` **Via Admin UI:** Apps → admin → copy API Key field. --- ## Using the Session Token[​](#using-the-session-token) Include both headers on all subsequent requests: ``` curl -s http://your-df-host/api/v2/system/service \ -H "X-DreamFactory-API-Key: YOUR_ADMIN_APP_API_KEY" \ -H "X-DreamFactory-Session-Token: YOUR_SESSION_TOKEN" ``` Tokens expire after **24 hours** by default. Re-POST to the login endpoint to refresh. --- ## Refresh / Check Current Session[​](#refresh--check-current-session) ``` # GET refreshes the token and returns current user infocurl -s -X GET http://your-df-host/api/v2/system/admin/session \ -H "X-DreamFactory-API-Key: YOUR_API_KEY" \ -H "X-DreamFactory-Session-Token: YOUR_SESSION_TOKEN" ``` --- ## Logout[​](#logout) ``` curl -s -X DELETE http://your-df-host/api/v2/system/admin/session \ -H "X-DreamFactory-API-Key: YOUR_API_KEY" \ -H "X-DreamFactory-Session-Token: YOUR_SESSION_TOKEN" ``` --- ## Common Errors and Fixes[​](#common-errors-and-fixes) ErrorCauseFix`Login request is missing required email`Wrong endpoint (`user/session` for admin) or missing `Content-Type` headerUse `POST /api/v2/system/admin/session` with `Content-Type: application/json``No session token (JWT) provided`Using `/api/v2/admin/session` (wrong endpoint)Use `/api/v2/system/admin/session``No session token or API Key detected`Missing `X-DreamFactory-API-Key` headerAdd the admin app's API key header`Invalid credentials supplied`Wrong password, or password set without DF's model (raw bcrypt won't match)Reset via `php artisan tinker` using the DF User model — it handles hashing`401 Unauthorized`Expired or invalid session tokenRe-authenticate to get a new token --- ## Quick Reference — Endpoint Summary[​](#quick-reference--endpoint-summary) ActionMethodEndpointNeeds API KeyNeeds Session TokenAdmin loginPOST`/api/v2/system/admin/session`✅❌User loginPOST`/api/v2/user/session`✅❌Check/refresh sessionGET`/api/v2/system/admin/session`✅✅LogoutDELETE`/api/v2/system/admin/session`✅✅Any system operation*`/api/v2/system/*`✅✅Any data operation*`/api/v2/{service}/_table/*`✅✅