Skip to content

Authentication

All API requests must be authenticated using a valid access token. Access tokens are retrieved via the login endpoint and must be included in the Authorization header as a Bearer token:

Authorization: Bearer <accessToken>

Authentication Flow

The authentication flow consists of three main steps:

  1. Login Use your partner credentials to authenticate and receive an access token and a refresh token.
  • The access token is required for all API requests.
  • The refresh token is used to generate a new access token without sending credentials again.
  1. Token Refresh Access tokens are valid for 1 hour. Refresh your token using the refresh token shortly before it expires (e.g., every 55 minutes) via the generateNewAccessToken endpoint.
  • Refreshing tokens is faster and safer than logging in repeatedly.
  • Refresh tokens are valid for 3 hours.
  1. Logout Use the logout endpoint to invalidate your refresh token.
  • Only necessary if you want to end the session, rotate credentials, or prevent further use of tokens.

Key Points

  • Always include the latest access token in the Authorization header.
  • Use refresh tokens to maintain a session and reduce the need to send credentials frequently.
  • Login is only required if both the access token and refresh token are expired or invalid.
  • Tokens are short-lived by design for security; always handle token expiration in your integration.