# Authentication

All API requests must be authenticated using a **valid access token**. Access tokens are retrieved via the **login** endpoint and must be included in the `Authorization` header as a Bearer token:


```bash
Authorization: Bearer <accessToken>
```

## Authentication Flow

The authentication flow consists of three main steps:

1. **Login**
Use your partner credentials to authenticate and receive an access token and a refresh token.
  - The access token is required for all API requests.
  - The refresh token is used to generate a new access token without sending credentials again.
2. **Token Refresh**
Access tokens are valid for **1 hour**.
Refresh your token using the refresh token shortly before it expires (e.g., every 55 minutes) via the `generateNewAccessToken` endpoint.
  - Refreshing tokens is faster and safer than logging in repeatedly.
  - Refresh tokens are valid for **3 hours**.
3. **Logout**
Use the `logout` endpoint to invalidate your refresh token.
  - Only necessary if you want to end the session, rotate credentials, or prevent further use of tokens.


## Key Points

- Always include the latest access token in the `Authorization` header.
- Use refresh tokens to maintain a session and reduce the need to send credentials frequently.
- Login is only required if both the access token and refresh token are expired or invalid.
- Tokens are short-lived by design for security; always handle token expiration in your integration.