All API requests must be authenticated using a valid access token. Access tokens are retrieved via the login endpoint and must be included in the Authorization header as a Bearer token:
Authorization: Bearer <accessToken>The authentication flow consists of three main steps:
- Login Use your partner credentials to authenticate and receive an access token and a refresh token.
- The access token is required for all API requests.
- The refresh token is used to generate a new access token without sending credentials again.
- Token Refresh Access tokens are valid for 1 hour. Refresh your token using the refresh token shortly before it expires (e.g., every 55 minutes) via the
generateNewAccessTokenendpoint.
- Refreshing tokens is faster and safer than logging in repeatedly.
- Refresh tokens are valid for 3 hours.
- Logout Use the
logoutendpoint to invalidate your refresh token.
- Only necessary if you want to end the session, rotate credentials, or prevent further use of tokens.
- Always include the latest access token in the
Authorizationheader. - Use refresh tokens to maintain a session and reduce the need to send credentials frequently.
- Login is only required if both the access token and refresh token are expired or invalid.
- Tokens are short-lived by design for security; always handle token expiration in your integration.