Skip to main content
NocoDB provides multiple authentication methods to secure your API requests. Choose the method that best fits your use case.

Authentication Methods

JWT Token Authentication

JWT (JSON Web Token) authentication is used for user-based authentication. After signing in, you receive a JWT token that’s valid for 10 hours by default.

Sign Up

Create a new user account. The first user is automatically marked as super admin. 
curl -X POST 'https://app.nocodb.com/api/v1/auth/user/signup' \
  -H 'Content-Type: application/json' \
  -d '{
    "email": "user@example.com",
    "password": "password123456789",
    "firstname": "Alice",
    "lastname": "Smith"
  }'
email
string
required
User email address
password
string
required
User password (minimum length required)
firstname
string
User’s first name
lastname
string
User’s last name
token
string
JWT access token for authentication
{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6IndAbm9jb2RiLmNvbSIsImZpcnN0bmFtZSI6bnVsbCwibGFzdG5hbWUiOm51bGwsImlkIjoidXNfYjN4bzJpNDRueDV5OWwiLCJyb2xlcyI6Im9yZy1sZXZlbC1jcmVhdG9yLHN1cGVyIiwidG9rZW5fdmVyc2lvbiI6ImJmMTc3ZGUzYjk3YjAzMjY4YjU0NGZmMjMzNGU5YjFhMGUzYzgxM2NiYzliOTJkYWMwYmM5NTRiNmUzN2ZjMTJjYmFkNDM2NmIwYzExZTdjIiwiaWF0IjoxNjc4MDc4NDMyLCJleHAiOjE2NzgxMTQ0MzJ9.gzwp_svZlbA5PV_eawYV-9UFjZVjniy-tCDce16xrkI"
}

Sign In

Authenticate an existing user with email and password. 
curl -X POST 'https://app.nocodb.com/api/v1/auth/user/signin' \
  -H 'Content-Type: application/json' \
  -d '{
    "email": "user@example.com",
    "password": "Password"
  }'
email
string
required
Registered user email
password
string
required
User password
token
string
JWT access token valid for 10 hours (configurable via NC_JWT_EXPIRES_IN environment variable)
{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6IndAbm9jb2RiLmNvbSIsImZpcnN0bmFtZSI6bnVsbCwibGFzdG5hbWUiOm51bGwsImlkIjoidXNfYjN4bzJpNDRueDV5OWwiLCJyb2xlcyI6Im9yZy1sZXZlbC1jcmVhdG9yLHN1cGVyIiwidG9rZW5fdmVyc2lvbiI6ImJmMTc3ZGUzYjk3YjAzMjY4YjU0NGZmMjMzNGU5YjFhMGUzYzgxM2NiYzliOTJkYWMwYmM5NTRiNmUzN2ZjMTJjYmFkNDM2NmIwYzExZTdjIiwiaWF0IjoxNjc4MDc4NDMyLCJleHAiOjE2NzgxMTQ0MzJ9.gzwp_svZlbA5PV_eawYV-9UFjZVjniy-tCDce16xrkI"
}

Using JWT Tokens

Once you have a JWT token, include it in your API requests using the xc-auth header: 
curl -X GET 'https://app.nocodb.com/api/v1/auth/user/me' \
  -H 'xc-auth: YOUR_JWT_TOKEN'
Alternatively, you can use the standard Authorization header with Bearer token: 
curl -X GET 'https://app.nocodb.com/api/v1/auth/user/me' \
  -H 'Authorization: Bearer YOUR_JWT_TOKEN'

Get User Info

Retrieve information about the authenticated user. 
curl -X GET 'https://app.nocodb.com/api/v1/auth/user/me' \
  -H 'xc-auth: YOUR_JWT_TOKEN'

{
  "id": "us_8kugj628ebjngs",
  "email": "user@example.com",
  "email_verified": true,
  "firstname": "Alice",
  "lastname": "Smith",
  "roles": "org-level-viewer"
}

Refresh Token

Create a new refresh token and JWT auth token. The refresh token is sent as a cookie. 
curl -X POST 'https://app.nocodb.com/api/v1/auth/token/refresh' \
  -H 'xc-auth: YOUR_JWT_TOKEN'

{
  "token": "96751db2d53fb834382b682268874a2ea9ee610e4d904e688d1513f11d3c30d62d36d9e05dec0d63"
}

Sign Out

Clear the refresh token from the database and cookie. 
curl -X POST 'https://app.nocodb.com/api/v1/auth/user/signout' \
  -H 'xc-auth: YOUR_JWT_TOKEN'

{
  "msg": "Signed out successfully"
}

API Token Authentication

API tokens are ideal for server-to-server communication and automation. Unlike JWT tokens, API tokens don’t expire and are scoped to specific bases. See the API Tokens guide for detailed information on creating and using API tokens.

Password Management

Forgot Password

Request a password reset email. 
curl -X POST 'https://app.nocodb.com/api/v1/auth/password/forgot' \
  -H 'Content-Type: application/json' \
  -d '{
    "email": "user@example.com"
  }'

{
  "msg": "Please check your email to reset the password"
}

Reset Password

Reset password using the token received via email. 
curl -X POST 'https://app.nocodb.com/api/v1/auth/password/reset/{token}' \
  -H 'Content-Type: application/json' \
  -d '{
    "password": "newpassword"
  }'
token
string
required
Password reset token received via email
password
string
required
New password
{
  "msg": "Password has been reset successfully"
}

Change Password

Change password for an authenticated user. 
curl -X POST 'https://app.nocodb.com/api/v1/auth/password/change' \
  -H 'xc-auth: YOUR_JWT_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
    "currentPassword": "currentPassword",
    "newPassword": "newPassword"
  }'
currentPassword
string
required
Current password
newPassword
string
required
New password
{
  "msg": "Password has been updated successfully"
}

Token Configuration

You can customize token behavior using environment variables:
VariableDefaultDescription
NC_JWT_EXPIRES_IN10hJWT token expiration time

Security Best Practices

Never share your JWT tokens or API tokens publicly. Treat them like passwords.
  • Store tokens securely using environment variables or secret management services
  • Use API tokens for automated systems and integrations
  • Use JWT tokens for user-based authentication
  • Rotate API tokens periodically
  • Implement proper access controls at the base level
  • Use HTTPS for all API requests to prevent token interception