Skip to content

Bearer (user session)

Bearer (user session) tokens are an authentication scheme tied to a user's login session in the Admin Console. They fit integrations that have an end user (frontends, internal dashboards, in-house mobile apps).

When to use Bearer (user session)

Use caseRecommended scheme
Vue / React / Mobile frontend calling the API on behalf of a userBearer (user session)
CRM acting under user context (e.g. "Sales A click-to-call")Bearer (user session)
Server-to-server background jobs (no user involved)API Token
Webhook receiver verifying events pushed by ZorioHMAC-SHA256 signing

Get a token

Option 1 — Log in via API

Endpoint: POST /api/auth/login

Request body

FieldTypeRequiredDescription
usernamestringUser's login name
passwordstringPassword
device_namestringoptionalDevice / app label to distinguish tokens (e.g. CRM-Salesforce, iPhone-Sales-01)
json
{
  "username": "sales01",
  "password": "...",
  "device_name": "CRM-Salesforce"
}

Response 200

json
{
  "data": {
    "user": {
      "id": 7,
      "username": "sales01",
      "email": "sales01@example.com",
      "role": "agent",
      "team_id": 2
    }
  },
  "token": "12|abcdefghijklmnopqrstuvwxyz0123456789"
}

Store the token immediately in secure storage (httpOnly cookie or mobile keychain). The token is a <id>|<random> string.

Response 401

json
{ "message": "Invalid username or password." }

Response 422

json
{
  "message": "The given data was invalid.",
  "errors": {
    "username": ["The username field is required."]
  }
}

Option 2 — Create a token from the Admin Console

Go to Settings → API Tokens → click Create new token → name it and pick a permission scope. The token is shown only once — copy it right away.

Use the token in requests

Every request must include two headers:

Authorization: Bearer <token>
Accept: application/json

cURL example

bash
curl -X GET 'https://app.zorio.vn/api/pbx/extensions' \
  -H 'Authorization: Bearer 12|abcdefghijklmnopqrstuvwxyz' \
  -H 'Accept: application/json'

Node.js example (axios)

js
const axios = require('axios');

const api = axios.create({
  baseURL: 'https://app.zorio.vn/api',
  headers: {
    Authorization: 'Bearer ' + process.env.ZORIO_TOKEN,
    Accept: 'application/json',
  },
});

const res = await api.get('/pbx/extensions');
console.log(res.data);

PHP example (Guzzle)

php
$client = new GuzzleHttp\Client([
    'base_uri' => 'https://app.zorio.vn/api/',
    'headers'  => [
        'Authorization' => 'Bearer ' . getenv('ZORIO_TOKEN'),
        'Accept'        => 'application/json',
    ],
]);
$res = $client->get('pbx/extensions');

Logout / Revoke

Logout current session

POST /api/auth/logout
Authorization: Bearer <token>

Returns 200 { "data": { "logged_out": true } }. The token is invalidated immediately — any later request with it → 401.

Revoke a specific token (admin)

Go to Admin Console → API Tokens → click Revoke next to the token you want to remove.

Revoke all of a user's tokens (logout-all)

POST /api/auth/logout-all
Authorization: Bearer <token>

All of the user's live tokens are invalidated — use this when an account is suspected to be compromised.

Token lifetime

  • By default tokens do not auto-expire — only manual revoke removes them.
  • An expiration policy can be configured in the Admin Console: 30 / 60 / 90 / 180 days.
  • Once expired or revoked → the API returns HTTP 401 with body { "message": "Unauthenticated." }.

Whoami (check the current token)

GET /api/auth/me
Authorization: Bearer <token>

Response 200:

json
{
  "data": {
    "id": 7,
    "username": "sales01",
    "email": "sales01@example.com",
    "role": "agent",
    "team_id": 2,
    "permissions": ["pbx_api_access", "telesales_make_call", "view_my_cdr"]
  }
}

Your CRM can call this on startup to learn the current user and check their permissions.

Change password

POST /api/auth/change-password
Authorization: Bearer <token>

{
  "current_password": "...",
  "new_password": "...",
  "new_password_confirmation": "..."
}

Response 200 { "data": { "changed": true } }. The current token is NOT invalidated — the user keeps their session.

Best practice

  • DO NOT hardcode tokens in frontend code (they leak through DevTools).
  • DO NOT commit tokens to git.
  • Long-lived tokens → store in a vault (1Password, AWS Secrets Manager, HashiCorp Vault).
  • Rotate tokens every 90 days.
  • One token per app / device (device_name) so you can revoke them in a targeted way.
  • Catch 401 gracefully → redirect the user to login, don't crash the app.

Cấp phép theo điều khoản sử dụng của Zorio.