Skip to main content

Overview

The Satélite API uses a two-tier JWT token-based authentication system:
  1. Microsoft Azure AD Token - Initial authentication using your organization’s Microsoft account
  2. Satélite Session Token - Internal API token generated after successful authentication

Authentication Flow

Token Requirements

Initial Authentication (Azure AD Token)

To authenticate with the Satélite API, you must first obtain a JWT token from Microsoft Azure AD. This token must:
  • Be a valid JWT token issued by your organization’s Azure AD
  • Contain either a unique_name or upn claim with the user’s email
  • Have an email domain of @moderna.com.ec
  • Include a name claim for user identification

Session Token (Satélite Token)

After successful authentication, the API generates a Satélite-specific JWT token with:
  • Expiration: 120 minutes (2 hours)
  • Claims:
    • sub - User ID
    • email - User email address
    • rol - User role ID
    • scopes - User permissions (e.g., user:impersonate)

Required Headers

For authenticate Mutation

Authorization: Bearer <AZURE_AD_JWT_TOKEN>
Content-Type: application/json

For All Other API Requests

After authentication, use the Satélite session token: 
Authorization: Bearer <SATELITE_SESSION_TOKEN>
Content-Type: application/json
The session token is returned in:
  • The token field of the SessionDTO response
  • The satelite_session response header

User Auto-Creation

If a user with a valid @moderna.com.ec email authenticates for the first time:
  1. A new user account is automatically created
  2. The user’s name is extracted from the Azure AD token
  3. The user is marked as active by default
  4. The user must be assigned permissions by an administrator before gaining access

Permission System

Upon successful authentication, users receive:
  • Permissions (Permisos) - List of assigned permissions for the user
  • Menu - Dynamically generated menu items based on permissions
  • User Details - User profile information including role
  • Token - JWT token for subsequent API requests

Special Permissions

  • user:impersonate - Granted to users with “Vista Usuario” permission, allowing them to impersonate other users

Error Handling

The authentication system returns specific error codes:
Error CodeDescriptionWhen It Occurs
UNAUTHORIZEDInvalid credentialsToken is missing, invalid, or email domain is not @moderna.com.ec
UNAUTHORIZEDAccount disabledUser account has been deactivated by an administrator
UNAUTHORIZEDNo role assignedUser exists but has no permissions assigned

Security Considerations

  1. Token Storage: Store the Satélite session token securely (e.g., httpOnly cookies, secure storage)
  2. Token Refresh: Tokens expire after 2 hours. Re-authenticate when the token expires
  3. Email Validation: Only @moderna.com.ec email addresses are allowed
  4. Active Status: Users can be deactivated by administrators at any time
  5. Permission Changes: Permission changes take effect after the next authentication

Next Steps

Authentication Mutations

View detailed documentation for the authenticate mutation

Authorization

Learn about role-based access control