Authentication and Security
7.1 Login
Access to the platform requires three pieces of information:
- Tenant (Company): unique company identifier
- Email: registered email address
- Password: password set during registration or changed later
The login endpoint is:
POST /api/auth/loginjson
{
"email": "user@company.com",
"password": "yourPassword",
"tenant": "company-name"
}7.2 Two-Factor Authentication (MFA)
For enhanced security, Voki supports two-factor authentication via TOTP (Time-based One-Time Password):
- Enable MFA in your account settings
- Scan the QR Code with an authenticator app (Google Authenticator, Authy, etc.)
- On each login, in addition to email and password, you will be prompted for the 6-digit code from the authenticator
The MFA verification endpoint is:
POST /api/auth/mfa/verify7.3 Password Reset
If you forget your password:
- On the login screen, click "Forgot my password"
- Enter your email and tenant
- You will receive an email with a link to reset your password
- The link is valid for a limited time (expires after use)
Endpoints involved:
POST /api/auth/forgot-password
POST /api/auth/reset-password7.4 JWT Tokens
Voki uses JSON Web Tokens (JWT) for authentication:
| Token | Validity | Usage |
|---|---|---|
| Access Token | 15 minutes | Access to API and authenticated pages |
| Refresh Token | 7 days | Renewal of the access token without a new login |
The access token must be sent in the header of each request:
Authorization: Bearer {access_token}When the access token expires, use the refresh token to obtain a new one:
POST /api/auth/refresh7.5 Tenant Isolation
Each company (tenant) has its own schema in the PostgreSQL database, ensuring complete data isolation:
- Data from one company is never accessible to another
- Each tenant has its own tables, indexes, and records
- The tenant is determined by the JWT and validated on every request
- It is not possible to access data from another tenant even with a valid token
7.6 Security Headers
All platform responses include security headers:
- HSTS: Forces HTTPS connections
- X-Frame-Options: DENY: Prevents embedding in iframes (clickjacking protection)
- X-Content-Type-Options: nosniff: Prevents MIME-type sniffing
- Referrer-Policy: strict-origin-when-cross-origin: Controls referrer information
- Permissions-Policy: Restricts access to browser APIs
7.7 Rate Limiting
To protect against brute-force attacks and abuse:
| Endpoint | Limit |
|---|---|
Authentication (/api/auth/*) | 5 requests per minute |
Public API (/api/signup/*, /api/v1/call/*) | 30 requests per minute |
When the limit is exceeded, the response will be 429 Too Many Requests.