Skip to content

Authentication

All /api/v1 endpoints require a Bearer token in the Authorization header. Obtain a token with your account credentials via the oauth/token endpoint, then send it as Authorization: Bearer <token> on every request.

Note: Your distributor ID and company ID are delivered together with your credentials.

Get a token

POST https://domain.com/oauth/token

This endpoint lives at the domain root — it is not under /api/v1.

Headers

Name Type Description
Content-Type* String application/json

Request Body

Name Required Type Description
grant_type Yes String Must be password
email Yes String Account email
password Yes String Account password 
POST https://domain.com/oauth/token
Content-Type: application/json

{
    "grant_type": "password",
    "email": "email@email.com",
    "password": "password"
}

Response — 200 OK

{
  "access_token": "1|aBcD3fGhIjKlMnOpQrStUvWxYz0123456789abcd",
  "token_type": "Bearer",
  "expires_in": 86400,
  "refresh_token": "",
  "created_at": 1696176000
}

Use access_token as the bearer token on all subsequent /api/v1 requests:

Authorization: Bearer <access_token>

Note: Tokens are personal access tokens. expires_in is in seconds (86400 = 24 h). refresh_token is not used (always empty) — request a new token through this endpoint when the current one expires.

Error responses

Response — 422 Unprocessable Entity (grant_type other than password)

{
  "message": "grant_type is not valid"
}

Response — 422 Unprocessable Entity (invalid credentials)

{
  "message": "The provided credentials are incorrect.",
  "errors": {
    "email": [
      "The provided credentials are incorrect."
    ]
  }
}