Authentication
Learn how to authenticate with the 1HOUSE API
The 1HOUSE API uses a two-layer authentication system with platform-based access control.
Two Environments - Different API Keys Required
The 1HOUSE API operates in two separate environments, each with its own base URL and API keys:
Development Environment:
- Base URL:
https://api-gateway.dev.1houseglobalservices.com - API Key: Your development API key (obtained from your administrator)
- Use for: Testing, development, and staging
Production Environment:
- Base URL:
https://api-gateway.prod.1houseglobalservices.com - API Key: Your production API key (obtained from your administrator)
- Use for: Live applications and real user traffic
⚠️ Critical: API keys are environment-specific and cannot be interchanged:
- ❌ Your development API key will NOT work with the production URL
- ❌ Your production API key will NOT work with the development URL
- ✅ Always use the correct API key for the environment you're targeting
- ✅ Keep your API keys secure and never commit them to version control
Two-Layer Security
All API requests require two layers: API Key (platform level) and JWT token (user level) for secure access.
Authentication Layers
The 1HOUSE API uses a two-layer authentication system:
Layer 1: API Key (Platform Level)
All API requests require an X-API-Key header:
X-API-Key: your-api-key-herePurpose: Identifies which application is making the request (Mobile app, Web platform, CRM, etc.)
Layer 2: JWT Token (User Level)
Most endpoints also require a JWT token:
Authorization: Bearer your-jwt-token-herePurpose: Identifies which user is making the request
Getting Your API Keys
API keys are managed by administrators. Contact your administrator to get API keys for both environments (development and production).
Available API Key Types:
- Mobile App - For mobile applications
- Live Platform - For web applications
- CRM - For internal CRM systems
- Third Party - For external integrations
- Admin - For administrative access
Each key type has different rate limits and permissions.
You'll need separate API keys for development and production environments. Request both from your administrator.
Platform Types
Platform Parameter Required
All sign-in and sign-up requests must include a platform parameter to specify which 1House platform you're accessing.
| Platform | Value | Description | Required Service IDs |
|---|---|---|---|
| Mobile App | app | iOS/Android applications | 34, 35 |
| Live Platform | live-platform | Web trading platform | 35 |
| Back Office | backoffice | Administrative systems | 34 |
User Authentication Flow
Sign Up
Create a new user account:
# Development
POST https://api-gateway.dev.1houseglobalservices.com/v1/auth/signup
X-API-Key: your-development-api-key
Content-Type: application/json
# Production
POST https://api-gateway.prod.1houseglobalservices.com/v1/auth/signup
X-API-Key: your-production-api-key
Content-Type: application/json{
"email": "user@example.com",
"password": "SecurePass123!",
"firstName": "John",
"lastName": "Doe",
"platform": "app", // REQUIRED: app | live-platform | backoffice
"device": "mobile", // Optional: mobile | web | tablet
"deviceId": "device-uuid-123" // Optional: unique device identifier
}{
"success": true,
"status": 201,
"message": "Account created successfully",
"data": {
"user": {
"id": "user_123",
"email": "user@example.com",
"firstName": "John",
"lastName": "Doe"
},
"accessToken": "eyJhbGciOiJIUzI1NiIs...",
"refreshToken": "eyJhbGciOiJIUzI1NiIs...",
"sessionId": "abc-123-def-456" // Session UUID
},
"meta": {
"timestamp": "2025-10-21T12:00:00.000Z",
"version": "v1"
}
}Session is automatically created in MongoDB:
{
"sessionId": "abc-123-def-456",
"userId": "user_123",
"platform": "app",
"platformName": "Mobile App",
"device": "mobile",
"deviceId": "device-uuid-123",
"isActive": true,
"expiresAt": "2025-10-29T12:00:00.000Z"
}Sign In
Authenticate existing user (NVU authentication):
POST /v1/auth/signin
X-API-Key: your-api-key
Content-Type: application/jsonNVU Authentication
Sign-in authenticates against the NVU backend and validates platform-specific service access.
{
"email": "user@example.com",
"password": "password123",
"platform": "app", // REQUIRED: app | live-platform | backoffice
"device": "mobile", // Optional: mobile | web | tablet
"deviceId": "device-uuid-123" // Optional: unique device identifier
}Required Fields:
email- User email addresspassword- User passwordplatform- Platform type (validates service access)
Optional Fields:
device- Device type (default: web)deviceId- Unique device identifier
{
"success": true,
"status": 200,
"message": "Signed in to Mobile App successfully",
"data": {
"user": {
"id": "user_123",
"email": "user@example.com",
"firstName": "John",
"lastName": "Doe",
"role": "user",
"customerId": "NVU_456"
},
"accessToken": "eyJhbGciOiJIUzI1NiIs...",
"refreshToken": "eyJhbGciOiJIUzI1NiIs...",
"sessionId": "def-456-ghi-789", // MongoDB session UUID
"platform": "app",
"platformName": "Mobile App",
"expiration": "2025-12-31T23:59:59.000Z" // NVU service expiration
},
"meta": {
"timestamp": "2025-10-21T12:00:00.000Z",
"version": "v1"
}
}{
"success": false,
"status": 403,
"message": "No access to Mobile App. Missing services: 34, 35",
"error": "No access to Mobile App. Missing services: 34, 35",
"errorId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"meta": {
"timestamp": "2025-10-21T12:00:00.000Z",
"version": "v1",
"errorId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}
}Error UUID: Use the errorId for quick error lookup and support requests.
Use Access Token
Include the access token in subsequent requests:
GET /v1/user/profile
X-API-Key: your-api-key
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...The session created during sign-in is tracked in MongoDB and includes:
- Platform and device information
- Session expiration (7 days)
- Activity tracking
- Automatic cleanup after expiration
Refresh Token
Token Expiration
Access tokens expire after 15 minutes. Implement automatic token refresh to maintain seamless user experience.
Access tokens expire after 15 minutes. Use the refresh token to get a new one:
# Development
POST https://api-gateway.dev.1houseglobalservices.com/v1/auth/refresh-token
X-API-Key: your-development-api-key
Content-Type: application/json
# Production
POST https://api-gateway.prod.1houseglobalservices.com/v1/auth/refresh-token
X-API-Key: your-production-api-key
Content-Type: application/json{
"refreshToken": "eyJhbGciOiJIUzI1NiIs..."
}Response:
{
"success": true,
"status": 200,
"message": "Token refreshed successfully",
"data": {
"accessToken": "eyJhbGciOiJIUzI1NiIs...",
"refreshToken": "eyJhbGciOiJIUzI1NiIs..."
},
"meta": {
"timestamp": "2025-10-21T12:00:00.000Z",
"version": "v1"
}
}Token Lifecycle
| Token Type | Expiration | Purpose | Storage |
|---|---|---|---|
| Access Token | 15 minutes | API requests | Memory/localStorage |
| Refresh Token | 7 days | Renew access token | Secure storage |
Best Practices
**Store tokens securely
- Use httpOnly cookies for web apps
- Use secure storage for mobile apps
- Never expose tokens in URLs
**Handle token expiration
// Example: Auto-refresh on 401
if (response.status === 401) {
const newToken = await refreshAccessToken();
// Retry original request with new token
}**Clear tokens on logout
localStorage.removeItem('accessToken');
localStorage.removeItem('refreshToken');Session Management
MongoDB Sessions
All authentication creates persistent sessions in MongoDB with platform, device, and activity tracking.
Session Properties
- sessionId - Unique UUID for the session
- platform - Which platform (app, live-platform, backoffice)
- device - Device type (mobile, web, tablet)
- isActive - Session status
- expiresAt - Auto-expiration (7 days)
- lastActivityAt - Last request timestamp
Sign Out
Invalidate sessions with granular control:
POST /v1/auth/signout
X-API-Key: your-api-key
Authorization: Bearer your-access-token
Content-Type: application/jsonSign out from all devices and platforms:
{}Response:
{
"success": true,
"status": 200,
"message": "Signed out successfully",
"data": {
"message": "Signed out successfully",
"device": null,
"platform": null
},
"meta": {
"timestamp": "2025-10-21T12:00:00.000Z",
"version": "v1"
}
}Sign out from specific platform only:
{
"platform": "app"
}Deactivates all "app" sessions, keeps "live-platform" and "backoffice" sessions active.
Sign out from specific device and platform:
{
"device": "mobile",
"platform": "app"
}Deactivates only mobile+app sessions, keeps other combinations active.
Password Reset
Request Reset
POST /v1/auth/forgot-password{
"email": "user@example.com"
}Reset Password
POST /v1/auth/reset-password{
"token": "reset-token-from-email",
"newPassword": "NewSecurePass123!"
}Email Verification
Verify Email
POST /v1/auth/verify-email{
"token": "verification-token-from-email"
}Resend Verification
POST /v1/auth/resend-verificationX-API-Key: your-api-key
Authorization: Bearer your-access-tokenSecurity Features
Rate Limiting
- Per API key
- Per endpoint
- Configurable limits by tier
Token Blacklisting
- Logout invalidates tokens
- Tokens cannot be reused
- Stored in Redis for fast lookup
Password Requirements
- Minimum 8 characters
- Must include uppercase letter
- Must include lowercase letter
- Must include number
- Must include special character
Failed Login Protection
- Account locked after 5 failed attempts
- 15-minute lockout period
- Email notification on lockout
Error Handling
Error UUIDs
All errors include a unique errorId (UUID) for quick reference and support lookup. The error is logged centrally with complete context.
Error Response Format
{
"success": false,
"status": 403,
"message": "No access to Mobile App. Missing services: 34, 35",
"error": "No access to Mobile App. Missing services: 34, 35",
"errorId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"meta": {
"timestamp": "2025-10-21T12:00:00.000Z",
"version": "v1",
"errorId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}
}Using Error UUIDs:
- Include
errorIdin support requests for quick debugging - Error details stored in centralized error-log-service
- Full request context, stack traces, and user info available
- Automatic sensitive data sanitization
Error Codes
| Status Code | Error | Description |
|---|---|---|
| 400 | Bad Request | Invalid platform or missing required fields |
| 401 | Unauthorized | Missing or invalid API key |
| 401 | Invalid Token | JWT token is invalid or expired |
| 401 | Token Expired | Access token has expired, refresh it |
| 403 | Forbidden | No access to platform (missing service IDs) |
| 429 | Too Many Requests | Rate limit exceeded |
Platform Access Errors
| Platform | Error | Reason |
|---|---|---|
| app | Missing services: 34, 35 | User doesn't have both required services |
| live-platform | Missing services: 35 | User doesn't have service 35 |
| backoffice | Missing services: 34 | User doesn't have service 34 |
Code Examples
// Configure environment URLs and API keys
const DEV_API_URL = 'https://api-gateway.dev.1houseglobalservices.com';
const PROD_API_URL = 'https://api-gateway.prod.1houseglobalservices.com';
const DEV_API_KEY = 'your-development-api-key';
const PROD_API_KEY = 'your-production-api-key';
// Use appropriate environment
const apiUrl = process.env.NODE_ENV === 'production' ? PROD_API_URL : DEV_API_URL;
const apiKey = process.env.NODE_ENV === 'production' ? PROD_API_KEY : DEV_API_KEY;
// Sign in with platform
const response = await fetch(`${apiUrl}/v1/auth/signin`, {
method: 'POST',
headers: {
'X-API-Key': apiKey,
'Content-Type': 'application/json'
},
body: JSON.stringify({
email: 'user@example.com',
password: 'password123',
platform: 'app', // REQUIRED: app | live-platform | backoffice
device: 'mobile', // Optional
deviceId: 'device-uuid' // Optional
})
});
if (!response.ok) {
const error = await response.json();
console.error(`Error ${error.errorId}: ${error.message}`);
// Include errorId in support requests
throw new Error(error.message);
}
const { data } = await response.json();
const { accessToken, refreshToken, sessionId, platform, platformName } = data;
// Store tokens and session info
localStorage.setItem('accessToken', accessToken);
localStorage.setItem('refreshToken', refreshToken);
localStorage.setItem('sessionId', sessionId);
localStorage.setItem('platform', platform);
// Make authenticated request
const profileResponse = await fetch(`${apiUrl}/v1/user/profile`, {
headers: {
'X-API-Key': apiKey,
'Authorization': `Bearer ${accessToken}`
}
});import requests
import os
# Configure environment URLs and API keys
DEV_API_URL = 'https://api-gateway.dev.1houseglobalservices.com'
PROD_API_URL = 'https://api-gateway.prod.1houseglobalservices.com'
DEV_API_KEY = 'your-development-api-key'
PROD_API_KEY = 'your-production-api-key'
# Use appropriate environment
api_url = PROD_API_URL if os.getenv('ENVIRONMENT') == 'production' else DEV_API_URL
api_key = PROD_API_KEY if os.getenv('ENVIRONMENT') == 'production' else DEV_API_KEY
# Sign up with platform
response = requests.post(
f'{api_url}/v1/auth/signup',
headers={
'X-API-Key': api_key,
'Content-Type': 'application/json'
},
json={
'email': 'user@example.com',
'password': 'SecurePass123!',
'firstName': 'John',
'lastName': 'Doe',
'platform': 'app', # REQUIRED
'device': 'mobile', # Optional
'deviceId': 'device-uuid' # Optional
}
)
data = response.json()
access_token = data['data']['accessToken']
refresh_token = data['data']['refreshToken']
# Make authenticated request
profile = requests.get(
f'{api_url}/v1/user/profile',
headers={
'X-API-Key': api_key,
'Authorization': f'Bearer {access_token}'
}
)# Development - Sign up with platform
curl -X POST https://api-gateway.dev.1houseglobalservices.com/v1/auth/signup \
-H "X-API-Key: your-development-api-key" \
-H "Content-Type: application/json" \
-d '{
"email": "user@example.com",
"password": "SecurePass123!",
"firstName": "John",
"lastName": "Doe",
"platform": "app",
"device": "mobile",
"deviceId": "device-uuid"
}'
# Production - Sign up with platform
curl -X POST https://api-gateway.prod.1houseglobalservices.com/v1/auth/signup \
-H "X-API-Key: your-production-api-key" \
-H "Content-Type: application/json" \
-d '{
"email": "user@example.com",
"password": "SecurePass123!",
"firstName": "John",
"lastName": "Doe",
"platform": "app",
"device": "mobile",
"deviceId": "device-uuid"
}'
# Development - Sign in
curl -X POST https://api-gateway.dev.1houseglobalservices.com/v1/auth/signin \
-H "X-API-Key: your-development-api-key" \
-H "Content-Type: application/json" \
-d '{
"email": "user@example.com",
"password": "password123",
"platform": "app"
}'
# Production - Sign in
curl -X POST https://api-gateway.prod.1houseglobalservices.com/v1/auth/signin \
-H "X-API-Key: your-production-api-key" \
-H "Content-Type: application/json" \
-d '{
"email": "user@example.com",
"password": "SecurePass123!",
"platform": "app"
}'