Cognita
    • Introduction
    • Auth
      • register
        POST
      • login
        POST
      • callback
        GET
      • profile
        GET
      • verify email
        POST
      • refresh
        POST
      • logout
        POST
      • forgot password
        POST
      • reset password
        POST
      • request reset password
        POST
      • update-profile
        PATCH
    • Meetings
      • Transcripts
        • Retrieve transcripts for a meeting
      • upload init
      • Get meeting details
    • Transcription
      • live
      • Get Transcript segments
      • Create translation for transcript
    • Organization
      • Billing
        • Get Billing Details
        • Update Plan
      • Org
        • Create Organization
        • Get Organization
        • Get Organizations
        • update organization
        • update settings
        • Delete Organization
        • get organization settings
        • Suspend
        • Resume
      • Retention
        • Set Retention Policy
        • Get Retention Policy
        • Update Retention Policy
      • Domains
        • Allowed Domains
        • Allowed Domains
        • Domain verfying
    • Workspaces
      • Org
        • Get Organization Workspaces
      • Workspace
        • Create Workspace
        • Get Workspace
        • Update Workspace
        • Delete Workspace
      • Users
        • Get Workspace Members
        • Delete Member from Workspace
      • Meetings
        • Start a meeting in workspace
    • configurations
      • feature-flags
      • configs
      • tenant-defaults
    • Schemas
      • Organization
        • OrganizationSettings
        • FeatureFlags
        • RetentionPolicy
        • Organization
        • CreateOrgRequestBody
      • Billing & Subscriptions
        • BillingAccount
        • SubscriptionEntitlements
        • SubscriptionPlan
        • Subscription
        • PaymentMethod
        • Invoice
        • UsageRecords
        • Bill
      • Roles & permissions
        • Permissions
      • Workspace
        • Workspaces
      • Meeting & Recordings
        • Meetings
      • Trascriptions & Summaries
      • Integrations
      • Notifications & Audit logs
      • AI Services
      • Localization
      • Auth & Users
        • user
        • AccessToken
      • ErrorResponse
      • SuccessResponse
      • DeviceInfo
      • Session

    Authentication

    Cognita supports two authentication methods:
    1.
    OAuth2 Authorization Code (enterprise SSO) — for organizations integrating with SSO (Google/Microsoft/SAML). Use standard token endpoint and consent flows.
    2.
    JWT Bearer Tokens — short-lived access tokens (recommended TTL: 15m) and refresh tokens for clients.
    3.
    Service tokens — long-lived tokens for server-to-server communication (scoped & rotate).
    4.
    mTLS — optional for internal service communication.
    5.
    Webhook signing — HMAC SHA256 signature using X-Cognita-Signature header.

    Bearer Header Example:#

    Authorization: Bearer eyJhbGciOiJ...

    OAuth scopes Example#

    meeting:read, meeting:write, transcript:read, transcript:write, summaries:read, integration:jira:write, org:admin

    Quick reference#

    PurposeMethodPathAuth
    RegisterPOST/registernone
    Verify emailPOST/verify-emailnone
    Login (password)POST/loginnone
    Refresh tokenPOST/refreshnone (send refresh token)
    LogoutPOST/logoutBearer
    Forgot passwordPOST/forgot-passwordnone
    Reset passwordPOST/reset-passwordnone
    MFA setupPOST/mfa/setupBearer
    MFA verifyPOST/mfa/verifydepends on flow
    Get current userGET/meBearer
    Update profilePUT/meBearer

    Important HTTP codes#

    200 OK — successful GET/PUT/POST (non-create).
    201 Created — resource created (e.g., register).
    202 Accepted — async or MFA required.
    400 Bad Request / ValidationError
    401 Unauthorized — invalid/expired access token
    403 Forbidden — e.g., TokenCompromised or insufficient scope
    404 Not Found
    409 Conflict — duplicate entity (email exists)
    429 Too Many Requests — use Retry-After header
    500 Internal Server Error

    Token storage & security best practices (for consumers)#

    Web (SPA)#

    Preferred: store refreshToken in HttpOnly Secure cookie (same-site=Strict or Lax per UX). Keep accessToken in memory, or short-lived in memory + refresh cycle.
    Avoid storing tokens in localStorage (XSS risk).

    Native mobile#

    Store tokens in device’s secure store (Keychain / Keystore). Use rotation.

    Server-to-server#

    Keep keys and refresh tokens in secure vault (env vars for short-term only, or a secret manager). Use client credentials for backend integrations.

    Always#

    Send tokens only over HTTPS.
    Implement CSRF protections such as double submit cookies or same-site.
    Validate server expiresIn and schedule refresh proactively (e.g., at 70-80% expiry).
    On 401 -> attempt refresh once, then redirect to login if refresh fails.

    Retry/backoff rules for clients#

    On 429 use Retry-After header value (server-provided).
    On 500/502/503 use exponential backoff with jitter, max retries = 3.
    For idempotent GETs, safe to retry. For POSTs, use Idempotency-Key (server will dedupe).
    Modified at 2025-10-11 10:41:02
    Previous
    Introduction
    Next
    register
    Built with