Question about API login

Hi:

I’m trying to log from an external app, and make some API actions (list, …) I always get: “Access denied”, because the token I get is always as anonymous user.
I’ve tried with the demo project to see if I get the same behaviour.

If I try with curl:

curl -X POST -k -H "Content-Type: application/json" -i "``http://localhost/demo2026/api/login``" --data "{"username":"nancy","password":"1234"}"

I get:

Expires: Mon, 02 Mar 2026 20:37:54 GMT
Set-Cookie: BEARER=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpYXQiOjE3NzI0ODM4NzQsImV4cCI6MTc3MjQ4NDQ3NCwicm9sZXMiOnsiMCI6IlJPTEVfVVNFUiIsIjIiOiJST0xFX1NBTEVTIn0sInVzZXJuYW1lIjoibmFuY3kiLCJ1c2VyaWQiOiIxIiwicGFyZW50dXNlcmlkIjoiMiIsInVzZXJsZXZlbCI6MSwidXNlcnByaW1hcnlrZXkiOjEsInVzZXJQZXJtaXNzaW9uIjowfQ.E2tdi0oEr7Zn_b84Z32xzZC0RfyB12UOKfIj2cMFo1n441IYwe5lGffswMk807ZsJWzesSkP7Ym1Zf_7bJbXVkSpqLLJOHUhN4l3dEgCZo3LkRkbPLhBRYBhVEj3rUCy0RoIZ5r1HcPR6GS5irWtcU5C_EAgmVLymCXSzP0KFO0oHNWud3qV-ab2VOLKiyV1kuyE7fV6AUkFFur7MHfLXBMi-32m4QymHsbMhG6-2PmCYRBbf-OAe4TJenChDHthrZL_a9xVbYhh5rqdxE2JBHBAYvhzpERAwzhieVlQoJ1sgY6o6Uiz20AXzVxt_kx4Xnah-zK42nZU8_J5Gj6nHg; expires=Tue, 03 Mar 2026 06:37:54 GMT; Max-Age=36000; path=/; httponly; samesite=lax
Set-Cookie: PHPSESSID=a51395a9c67da7039323baa96073c24c; expires=Tue, 03 Mar 2026 02:42:54 GMT; Max-Age=21900; path=/; httponly; samesite=lax
Transfer-Encoding: chunked
Content-Type: application/json

{"token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpYXQiOjE3NzI0ODM4NzQsImV4cCI6MTc3MjQ4NDQ3NCwicm9sZXMiOlsiUk9MRV9VU0VSIiwiUFVCTElDX0FDQ0VTUyIsIlJPTEVfU0FMRVMiXSwidXNlcm5hbWUiOiJBbm9ueW1vdXMiLCJ1c2VyaWQiOiIiLCJwYXJlbnR1c2VyaWQiOiIiLCJ1c2VybGV2ZWwiOi0yLCJ1c2VycHJpbWFyeWtleSI6bnVsbCwidXNlclBlcm1pc3Npb24iOjB9.XqbZiuSbI_dwrU0kcpxyGqxDgkujy0SKMZk1yzcnk9M2RxxqQgSC1_2F67DOiOowEReXavkrcx7ayfzZPNYhSUDddqNYo8SUWYzOE2M-Cg-e1vzU0unLDlSV8jcj6n-WWr31T-R3g0I8qDGFVYevRhJotDfs0oq7vp-v_Tv-xt3Mh-ygLPHoXRz2BoLcDgUSDgxjPWmI2THksLMqCcwYf9OGMP2RVcHlkmk3JyIOgyOTlJ7n1zN-K6K5HdIdXvP8IzbTmEs9KI-3RmaKGvY72TMPD5eds_C9hMRRv7yZyWRe8DmNV50bVK09DT2j6zoY-EtvrCJ-DfB-T6OuuXaTqw"}

If I paste token in https://www.jwt.io/ I get:
{
"iat": 1772483874,
"exp": 1772484474,
"roles": [
"ROLE_USER",
"PUBLIC_ACCESS",
"ROLE_SALES"
],
"username": "Anonymous",
"userid": "",
"parentuserid": "",
"userlevel": -2,
"userprimarykey": null,
"userPermission": 0
}

But if I paste the BEARER:
{
"iat": 1772483874,
"exp": 1772484474,
"roles": {
"0": "ROLE_USER",
"2": "ROLE_SALES"
},
"username": "nancy",
"userid": "1",
"parentuserid": "2",
"userlevel": 1,
"userprimarykey": 1,
"userPermission": 0
}

Am I doing something wrong? I think the token should return the same roles, userlevel, etc…
Thanks

Click Tools -> Update Template and try again.

Thanks, now I get the right properties in token