All API requests must be authenticated using a valid access token. Access tokens are retrieved via the login endpoint and must be included in the Authorization header as a Bearer token:
Authorization: Bearer <accessToken>The authentication flow consists of three main steps:
Login
Use your partner credentials to authenticate and receive an access token and a refresh token.- The access token is required for all API requests.
- The refresh token is used to generate a new access token without sending credentials again.
Token Refresh
Access tokens are valid for 1 hour.
Refresh your token using the refresh token shortly before it expires (e.g., every 55 minutes) via thegenerateNewAccessTokenendpoint.- Refreshing tokens is faster and safer than logging in repeatedly.
- Refresh tokens are valid for 3 hours.
Logout
Use thelogoutendpoint to invalidate your refresh token.- Only necessary if you want to end the session, rotate credentials, or prevent further use of tokens.
- Always include the latest access token in the
Authorizationheader. - Use refresh tokens to maintain a session and reduce the need to send credentials frequently.
- Login is only required if both the access token and refresh token are expired or invalid.
- Tokens are short-lived by design for security; always handle token expiration in your integration.