The suggestions you gave are not very atomic. We have many users with spotty network connections, so we're trying to stick here with 1 API call for registrations.

I hear you. I think we already have some open issues about this, but if you'd like to file an issue outlining your preferred workflow, that'd be great.

@seednextsrl you typically don't use the access token as a login password.

The access token is what you present to other applications as proof that someone has logged in.

There are a few FusionAuth APIs you can call and present the access token as a means of authentication. They are marked with a little blue person.

Here's more about API authentication: https://fusionauth.io/docs/v1/tech/apis/authentication

Here's an example of an API which uses a JWT to authenticate: https://fusionauth.io/docs/v1/tech/apis/users#retrieve-a-user (scroll to the "Retrieve a User using a JWT" section).

There are two “worlds”, OAuth, and API only.

API world (JSON in body, proprietary to FusionAuth):

Application > Security > Login API Settings > Generate Refresh Tokens (Generate a a refresh token when using the Login API) Application > Security > Login API Settings > Enable JWT refresh (Allow a JWT to be refreshed using the /api/jwt/refresh API)

OAuth world (form params, in body and in request, standardized):

Application > OAuth > Generate Refresh Tokens (Generate a refresh token if offline_access scope was requested) Application > OAuth > Enabled Grants > Refresh Token (Allow a JWT to be refreshed using an refresh token) (edited)

If you are living in the OAuth world, then you can disable the API access, and just use the OAuth configuration. And vice versa.

It looks like the uuid isn't being sent as a string. Per https://fusionauth.io/docs/v1/tech/reference/data-types#uuids it should be quoted.

So you want to send:

{ "applicationId": "15e45e7d-3e34-43df-9366-91c66a8cc9ae", "loginId": "myuserid", "password": "mypassword" }

My guess is you are missing the applicationId on the login API request.

A refresh token is per user per application, so passing that is required to provide refresh tokens (even though it is optional for the call to succeed).