Reference
API Reference
Complete REST API documentation for the CAS authentication system.
IP Whitelisted
Account Lockout
Rate Limited
Base URL & Security
https://your-cas-server.com/api
Security Requirements
- IP Whitelisting — client system IPs must be registered in the admin panel
- Rate Limiting — login endpoints are rate limited per IP address
- Account lockout after 5 failed login attempts (30 min cooldown)
- All SSO endpoints require valid
client_idandclient_secret
POST
/api/sso/token
Generate an SSO token for a user. This is a server-to-server call using client credentials and a username. The endpoint is protected by IP whitelisting.
Request Body
{
"client_id": "your_client_id",
"client_secret": "your_client_secret",
"username": "john_doe"
}Success Response 200
{
"redirect_url": "https://your-app.com/cas/callback?token=eyJhbG...",
"token": "eyJhbGciOiJIUzI1NiIs..."
}Error Responses
// 401 — Invalid client credentials
{ "error": "Invalid client credentials" }
// 404 — User not found
{ "error": "User not found or inactive" }
POST
/api/sso/validate
Validate an SSO token and retrieve user information. Tokens are single-use — once validated, they cannot be reused.
Note: A legacy endpoint
/api/validate-token also exists with IP whitelisting enabled. We recommend using /api/sso/validate for new integrations.
Request Body
{
"token": "eyJhbGciOiJIUzI1NiIs...",
"client_id": "your_client_id",
"client_secret": "your_client_secret"
}Response 200
{
"valid": true,
"user": {
"id": 1,
"username": "john_doe",
"email": "[email protected]"
},
"expires_at": "2026-03-10 22:30:00"
}
GET
/sso/login
Initiate browser-based SSO login. Redirect users to this URL to authenticate via the CAS login page. After login, users are redirected to your callback URL with a token.
Query Parameters
| Parameter | Description |
|---|---|
| client_id | Your registered client system ID |
Callback
// After successful login, user is redirected to:
https://your-app.com/cas/callback?token=eyJhbGciOiJIUzI1NiIs...
// Your callback should validate the token via POST /api/sso/validate
GET
/api/user
Retrieve the currently authenticated user's profile (session-based).
Response 200
{
"id": 1,
"username": "john_doe",
"email": "[email protected]",
"role": "user",
"full_name": "John Doe"
}
POST
/api/auth/login
Authenticate a user via the API. Returns user data on success.
Request Body
{
"login": "john_doe",
"password": "your_password"
}Success Response 200
{
"success": true,
"user": {
"id": 1,
"username": "john_doe",
"email": "[email protected]",
"role": "user",
"full_name": "John Doe"
}
}Error Responses
// 401 — Invalid credentials
{ "error": "Invalid credentials" }
// 423 — Account locked (too many failed attempts)
{ "error": "Account locked", "remaining_minutes": 25 }
// 429 — Rate limited
{ "error": "Too many attempts", "retry_after": 45 }HTTP Status Codes
| Code | Meaning |
|---|---|
| 200 | Success |
| 201 | Created |
| 400 | Bad Request — validation error |
| 401 | Unauthorized — invalid credentials or token |
| 403 | Forbidden — IP not whitelisted |
| 404 | Not Found — user or resource not found |
| 423 | Locked — account lockout active |
| 429 | Too Many Requests — rate limited |
| 500 | Internal Server Error |
Rate Limits
Authentication
10 /min
Per IP address
Token Validation
100 /min
Per client system
User Management
50 /min
Per authenticated user