Skip to main content
Leaf uses JWT (JSON Web Token) authentication. You send your email and password to the authenticate endpoint, get back a token, and include that token as a Bearer header on every subsequent request.

Get a token

Send a POST request to the authenticate endpoint: 
https://api.withleaf.io/api/authenticate

curl -X POST \
  -H 'Content-Type: application/json' \
  -d '{"username":"your-email@example.com","password":"your-password","rememberMe":"true"}' \
  'https://api.withleaf.io/api/authenticate'
The response: 
{
  "id_token": "eyJhbGciOi..."
}

Token lifecycle

The rememberMe field controls how long your token lasts:
rememberMeToken duration
"true"30 days
"false"24 hours
When a token expires, request a new one from the same endpoint. There is no refresh token flow; you re-authenticate with credentials.

Using the token

Include the token in the Authorization header of every API request: 
curl -H 'Authorization: Bearer eyJhbGciOi...' \
  'https://api.withleaf.io/services/usermanagement/api/users'
If the token is missing, expired, or invalid, the API returns a 401 Unauthorized response.

Multiple environments

Leaf does not provide separate test and production environments. Instead, create distinct API owner accounts for each:
  • leaf-test@yourcompany.com for development and testing
  • leaf-prod@yourcompany.com for production
Each API owner has its own token, Leaf users, configurations, and billing. This keeps test data isolated from production.
Your contract may include a testing acre allotment. Make sure all test-related API calls use your test API owner account so testing usage is tracked separately.

What to do next

Last modified on March 24, 2026