Authentication

Every PropOps API endpoint requires authentication. The platform supports two authentication methods depending on your client type.

Browser session
Bearer token

Browser clients authenticate automatically via session cookies set at login. No additional configuration is needed — the browser sends the session cookie on every request.Session lifetimes:

Session type	Duration
Web browser (active)	2 hours
Web browser (idle)	30 minutes
Remember Me	30 days

Cookies are set with HttpOnly, Secure (HTTPS only), and SameSite=Lax flags to prevent JavaScript access and cross-site request forgery.

Mobile apps and direct API clients use a 64-character SHA-256 Bearer token. Request a token from POST /api/security/mobile-auth, then include it on every request in the Authorization header.Bearer tokens are long-lived (up to one year). You can revoke a token at any time via DELETE /api/security/mobile-auth.

Request a Bearer token

Send your credentials to the mobile auth endpoint. You receive a token in the response.

curl -X POST https://propops.yourcompany.com/api/security/mobile-auth \
  -H "Content-Type: application/json" \
  -d '{
    "email": "you@example.com",
    "password": "your-password"
  }'

Response:

{
  "success": true,
  "data": {
    "token": "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2"
  },
  "message": "Mobile authentication token issued"
}

Include the token on every request

Pass the token in the Authorization header using the Bearer scheme.

curl https://propops.yourcompany.com/api/jobs/manage \
  -H "Authorization: Bearer a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2"

CSRF tokens

State-changing requests — POST, PUT, and DELETE — require a valid CSRF token in addition to your session or Bearer token. This protects against cross-site request forgery attacks.

Get a token

GET /api/security/csrf-token

Response

{
  "success": true,
  "data": {
    "token": "abc123def456..."
  },
  "message": "CSRF token issued"
}

Send the token

Pass the CSRF token in any one of these locations:

Location	Key
JSON request body	`csrf_token`
Form field or POST parameter	`csrf_token`
HTTP request header	`X-CSRF-Token`

curl -X POST https://propops.yourcompany.com/api/jobs/manage \
  -H "Authorization: Bearer <your-token>" \
  -H "X-CSRF-Token: abc123def456..." \
  -H "Content-Type: application/json" \
  -d '{ "title": "Boiler repair", "priority": "high" }'

CSRF tokens are single-use and session-scoped. Fetch a fresh token for each state-changing operation or at the start of each user session.

Permissions

Access to each endpoint is controlled by a granular permission key in dot-notation, for example api.jobs.manage.manage. Your account inherits permissions from the role your administrator assigns to you. If you call an endpoint your role does not have permission for, you receive 403 Forbidden:

{
  "success": false,
  "error": "You do not have permission to perform this action"
}

To see your resolved permissions, call:

GET /api/users/permissions

Contact your PropOps administrator to request additional permissions for your role.

Overview

Jobs

Users

Contractors

Tenants

Agents & Branches

Dashboard

Analytics & Reports

Financial

Notifications

Email

WhatsApp

Search

Security

GDPR & Privacy

System

Administration

Automation

Attachments

Feedback

CSRF tokens

Get a token

Send the token

Permissions

Overview

Jobs

Users

Contractors

Tenants

Agents & Branches

Dashboard

Analytics & Reports

Financial

Notifications

Email

WhatsApp

Search

Security

GDPR & Privacy

System

Administration

Automation

Attachments

Feedback

​CSRF tokens

​Get a token

​Send the token

​Permissions

CSRF tokens

Get a token

Send the token

Permissions