English
English
Appearance
English
English
Appearance
Bearer (user session) tokens are an authentication scheme tied to a user's login session in the Admin Console. They fit integrations that have an end user (frontends, internal dashboards, in-house mobile apps).
| Use case | Recommended scheme |
|---|---|
| Vue / React / Mobile frontend calling the API on behalf of a user | Bearer (user session) ✅ |
| CRM acting under user context (e.g. "Sales A click-to-call") | Bearer (user session) ✅ |
| Server-to-server background jobs (no user involved) | API Token |
| Webhook receiver verifying events pushed by Zorio | HMAC-SHA256 signing |
Endpoint: POST /api/auth/login
| Field | Type | Required | Description |
|---|---|---|---|
username | string | ✅ | User's login name |
password | string | ✅ | Password |
device_name | string | optional | Device / app label to distinguish tokens (e.g. CRM-Salesforce, iPhone-Sales-01) |
{
"username": "sales01",
"password": "...",
"device_name": "CRM-Salesforce"
}{
"data": {
"user": {
"id": 7,
"username": "sales01",
"email": "sales01@example.com",
"role": "agent",
"team_id": 2
}
},
"token": "12|abcdefghijklmnopqrstuvwxyz0123456789"
}Store the token immediately in secure storage (httpOnly cookie or mobile keychain). The token is a <id>|<random> string.
{ "message": "Invalid username or password." }{
"message": "The given data was invalid.",
"errors": {
"username": ["The username field is required."]
}
}Go to Settings → API Tokens → click Create new token → name it and pick a permission scope. The token is shown only once — copy it right away.
Every request must include two headers:
Authorization: Bearer <token>
Accept: application/jsoncurl -X GET 'https://app.zorio.vn/api/pbx/extensions' \
-H 'Authorization: Bearer 12|abcdefghijklmnopqrstuvwxyz' \
-H 'Accept: application/json'const axios = require('axios');
const api = axios.create({
baseURL: 'https://app.zorio.vn/api',
headers: {
Authorization: 'Bearer ' + process.env.ZORIO_TOKEN,
Accept: 'application/json',
},
});
const res = await api.get('/pbx/extensions');
console.log(res.data);$client = new GuzzleHttp\Client([
'base_uri' => 'https://app.zorio.vn/api/',
'headers' => [
'Authorization' => 'Bearer ' . getenv('ZORIO_TOKEN'),
'Accept' => 'application/json',
],
]);
$res = $client->get('pbx/extensions');POST /api/auth/logout
Authorization: Bearer <token>Returns 200 { "data": { "logged_out": true } }. The token is invalidated immediately — any later request with it → 401.
Go to Admin Console → API Tokens → click Revoke next to the token you want to remove.
POST /api/auth/logout-all
Authorization: Bearer <token>All of the user's live tokens are invalidated — use this when an account is suspected to be compromised.
{ "message": "Unauthenticated." }.GET /api/auth/me
Authorization: Bearer <token>Response 200:
{
"data": {
"id": 7,
"username": "sales01",
"email": "sales01@example.com",
"role": "agent",
"team_id": 2,
"permissions": ["pbx_api_access", "telesales_make_call", "view_my_cdr"]
}
}Your CRM can call this on startup to learn the current user and check their permissions.
POST /api/auth/change-password
Authorization: Bearer <token>
{
"current_password": "...",
"new_password": "...",
"new_password_confirmation": "..."
}Response 200 { "data": { "changed": true } }. The current token is NOT invalidated — the user keeps their session.
device_name) so you can revoke them in a targeted way.