The Portal API accepts two kinds of bearer tokens, both sent in the Authorization header.

Authorization: Bearer <token string>

Either token type works on every Portal API endpoint.

Session Tokens

A session token is obtained by exchanging a username and password at the login endpoint. Session tokens are intended for the admin UI and short-lived scripts.

POST https://<your-host>:9909/api/portal/v1/auth/login
Content-Type: application/json

{
    "username": "admin",
    "password": "admin"
}

The response includes a token object whose id field is the bearer string:

{
    "token": {
        "id": "f3a1c0d4e5b6a7c8d9e0f1a2b3c4d5e6",
        "userId": 1
    },
    "user": {
        "userId": 1,
        "username": "admin",
        "isAdmin": true,
        "isAccountOwner": false,
        "account": {
            "id": 1,
            "name": "Default"
        }
    }
}

Session tokens remain valid until they are explicitly invalidated via the logout endpoint.

API Tokens

API tokens are long-lived tokens managed through the API Tokens endpoints. They are intended for headless integrations and CI/CD systems where storing user credentials is not appropriate.

The same API token can be used to authenticate against both the Portal API and the Core API.

Default Credentials

A new OEM instance is provisioned with a default administrator account.

• Username: admin
• Password: admin

Both values can be overridden at first startup with the INITIAL_ADMIN_USERNAME and INITIAL_ADMIN_PASSWORD environment variables. See Configuration for details.

For production deployments, change the default password immediately after first login.