The user is the person who logs in to the [Synerise Application](https://app.synerise.com/). They can have access to one or more workspaces, with different permissions in each profile. After a user logs in, they must choose a workspace to work with.

Users may be required to log in using multi-factor authentication.

## Logging in as a user

API reference available [here](https://developers.synerise.com/IdentityandAccessManagement/IdentityandAccessManagement.html#operation/userLogin).

To log in as a user, you need the username and the password.


<pre><code class="language-plaintext">curl --location --request \
POST 'https://{SYNERISE_API_BASE_PATH}/uauth/auth/login/user' \
--header 'Content-Type: application/json' \
--data-raw '{
    "username": "user@synerise.com",
    "password": "strongPassword"
}'</code></pre>


The response includes:
- JSON Web Token (JWT) needed to authorize when selecting a workspace or modifying user data. This token cannot be used to perform operations within a workspace.
- Information about the multi-factor authentication method
- Information about the user. Note that no workspace is selected, the user has no permissions (authorities) and no roles.


  <div class="highlight-code-block" data-hl-lines="3,15,16">
  <pre><code class="language-json">{
      // JWT
      "token": "eyJhbGciOiJinvalidXyw0TAc",
      // User info
      "consumer": {
          "type": "USER",
          "businessProfileId": null,
          "name": "user@synerise.com",
          "id": 12345,
          "authorities": [],
          "roles": "-2",
          "type": "USER"
      },
      // multi-factor authentication method, if required
      "mfaMethods": [
          "TOTP_AUTHENTICATOR"
      ]
  }</code></pre>
  </div>


- If `mfaMethods` is **not** empty, you must [confirm the multi-factor authentication](#confirming-multi-factor-authentication).
- If `mfaMethods` is empty, [select a workspace](#workspace-selection).

## Confirming multi-factor authentication

API reference available [here](https://developers.synerise.com/IdentityandAccessManagement/IdentityandAccessManagement.html#operation/userMfaLogin).


<div class="admonition admonition-important"><div class="admonition-icon"><svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke="currentColor" stroke-width="2.5"><path stroke-linecap="round" stroke-linejoin="round" d="M12 8v4m0 4h.01M21 12a9 9 0 11-18 0 9 9 0 0118 0z" /></svg></div><div class="admonition-body"><div class="admonition-content">

After a user logs on, they don't need to enter the authentication code on the same device for 8 hours.

</div></div></div>


You need the JWT obtained from the login request and a token from your authentication app.


<pre><code class="language-plaintext">curl --location --request \
POST 'https://{SYNERISE_API_BASE_PATH}/uauth/auth/login/user/mfa/verification?mfaType=TOTP_AUTHENTICATOR' \
--header 'Authorization: Bearer eyJhbG...2KIh6IU' \
--header 'Content-Type: application/json' \
--data-raw '{
    "verificationCode": "938538"
}'</code></pre>


The response is the same as in the login endpoint. 

Proceed to [workspace selection](#workspace-selection).

## Workspace selection

After authentication, a user must select a workspace to work in.
### Checking available workspaces

API reference available [here](https://developers.synerise.com/IdentityandAccessManagement/IdentityandAccessManagement.html#operation/getBusinessProfilesUsingGET).

You need a JWT obtained from [logging in](#logging-in-as-a-user); [multi-factor authentication](#confirming-multi-factor-authentication) (if enabled); or with a workspace already selected (when switching between profiles).

The following request checks the workspaces available to a user:

<pre><code class="language-plaintext">curl --location --request \
GET 'https://{SYNERISE_API_BASE_PATH}/uauth/business-profile/' \
--header 'Authorization: Bearer eyJhbGciOiJSUz...qDTl72iqwIji4'</code></pre>


The response is an array of workspaces available to a user. The UUID is stored in the `businessProfileGuid` field.


<div class="highlight-code-block" data-hl-lines="6">
<pre><code class="language-json">[
    {
        "id": 48,
        "name": "Sample Profile",
        "logo": "https://synerise.com/sample.png",
        "businessProfileGuid": "01234abc-1234-5678-9abc-def012345678",
        "created": "2020-07-21T12:41:59Z",
        "subdomain": "sample-profile",
        "ipRestricted": false,
        "mfaRequired": true
    }
]</code></pre>
</div>


### Selecting a workspace

API reference available [here](https://developers.synerise.com/IdentityandAccessManagement/IdentityandAccessManagement.html#operation/userProfileLoginUsingPOST).

You need:
- a JWT obtained from [logging in](#logging-in-as-a-user); [multi-factor authentication](#confirming-multi-factor-authentication) (if enabled); or with a workspace already selected (when switching between profiles).
- the [UUID of the workspace](#checking-available-workspaces)


  <pre><code class="language-plaintext">curl --location --request \
  POST 'https://{SYNERISE_API_BASE_PATH}/uauth/auth/login/user/profile/01234abc-1234-5678-9abc-def012345678' \
  --header 'Authorization: Bearer eyJh...d886bpyWWZKvQESsM8cUYWuVqfSI'</code></pre>


  The response includes:
- JWT needed to perform operations as a user within a workspace (most operations performed as Synerise User require this token)
- Information about the user and their authorities (permissions) in the workspace. These permissions correspond to the ones listed as required in the API reference.


  <pre><code class="language-json">{
      "token": "eyJhbGciOiJSU...tIarjyXFFCv_Ek6M",
      "consumer": {
          "type": "USER",
          "businessProfileId": 48,
          "name": "user@synerise.com",
          "id": 12345,
          "authorities": [
              "ROLE_ADMIN_EDITUSER",
              "ROLE_ANALYTICS_SHOW",
              "ROLE_API_ADD",
              "ROLE_API_CREATE",
              "ROLE_API_DELETE",
              ...
          ],
          "roles": "16",
          "type": "USER"
      }
  }</code></pre>