API Endpoints
All endpoints are available under wherever you mounted robustauth.urls. The examples below assume path("auth/", include("robustauth.urls")).
POST /auth/login/
Authenticate with username and password. Returns an access + refresh token pair.
Authentication required: No
Request:
{
"username": "alice",
"password": "secret"
}
Response 200:
{
"access_token": "a3f9c2...",
"refresh_token": "b7c241...",
"session_id": "550e8400-e29b-41d4-a716-446655440000",
"token_type": "Bearer"
}
Error 400:
{
"non_field_errors": ["Invalid credentials."]
}
POST /auth/token/refresh/
Exchange a refresh token for a brand new access + refresh token pair. The submitted refresh token is immediately invalidated.
Authentication required: No
Request:
{
"refresh_token": "b7c241..."
}
Response 200:
{
"access_token": "d1e4f5...",
"refresh_token": "f5a8b9...",
"token_type": "Bearer"
}
Error 400 (expired or invalid):
{
"non_field_errors": ["Invalid or expired refresh token."]
}
Security note: If a refresh token that has already been used is submitted, RobustAuth detects the reuse, revokes the entire token family, and terminates all sessions for that user. The
token_reuse_detectedsignal is fired.
POST /auth/logout/
Revoke the current session. The access token and all associated refresh tokens are immediately invalidated.
Authentication required: Yes — Authorization: Bearer <access_token>
Response 200:
{
"detail": "Logged out successfully."
}
POST /auth/logout/all/
Revoke all sessions for the authenticated user. Optionally keep the current session alive.
Authentication required: Yes
Request:
{
"keep_current": true
}
Response 200:
{
"detail": "Revoked 3 session(s)."
}
GET /auth/sessions/
List all active sessions for the authenticated user. The current session is identified with "is_current": true.
Authentication required: Yes
Response 200:
[
{
"id": "550e8400-e29b-41d4-a716-446655440000",
"state": "active",
"ip_address": "41.58.12.34",
"device_type": "mobile",
"os_family": "Android",
"browser_family": "Chrome Mobile",
"device_name": "Samsung SM-G991",
"created_at": "2025-06-01T10:23:00Z",
"last_activity": "2025-06-01T14:05:00Z",
"is_current": true
},
{
"id": "6ba7b810-9dad-11d1-80b4-00c04fd430c8",
"state": "active",
"ip_address": "41.58.12.34",
"device_type": "desktop",
"os_family": "Windows",
"browser_family": "Firefox",
"device_name": "Other",
"created_at": "2025-05-30T08:00:00Z",
"last_activity": "2025-05-30T09:15:00Z",
"is_current": false
}
]
DELETE /auth/sessions/<uuid>/
Revoke a specific session by its UUID. Users can only revoke their own sessions.
Authentication required: Yes
Response 200:
{
"detail": "Session revoked."
}
Error 404:
{
"detail": "Session not found."
}
GET /auth/history/
Return the authentication event log for the authenticated user, ordered by most recent first.
Authentication required: Yes
Query params: ?limit=50 (default: 50)
Response 200:
[
{
"id": 5,
"event": "token_refresh",
"ip_address": "41.58.12.34",
"user_agent": "Mozilla/5.0 (Linux; Android 13 ...)",
"extra": {},
"timestamp": "2025-06-01T14:05:00Z"
},
{
"id": 4,
"event": "login_success",
"ip_address": "41.58.12.34",
"user_agent": "Mozilla/5.0 (Linux; Android 13 ...)",
"extra": {},
"timestamp": "2025-06-01T10:23:00Z"
},
{
"id": 3,
"event": "login_failure",
"ip_address": "41.58.12.34",
"user_agent": "Mozilla/5.0 ...",
"extra": {"username": "alice", "failure_count": 1},
"timestamp": "2025-06-01T10:22:00Z"
}
]
Event types:
Event |
Description |
|---|---|
|
Successful login |
|
Failed login attempt |
|
Normal logout |
|
Access token refreshed |
|
Reuse of an already-used refresh token detected |
|
User changed their password |
|
Session was explicitly revoked |
|
Session was force-revoked by a policy (e.g. single-session, password change) |