We use two different types of authentication:
- API Secret Authentication
- Required for authentication endpoints (like login and refresh).
- User Authentication (Bearer Token)
- Required for accessing user specific endpoints.
All endpoints under /auth (such as login, registration, and token refresh) are protected by an API secret. The token is base64 of API_SECRET+CLIENT_ID x-auth-token header.
If your secret is mySecret and client ID is myClientId:
1. Concatenate: "mySecret+myClientId"
2. Base64 Encode: "bXlTZWNyZXQrbXlDbGllbnRJZA=="
3. Final Header: "x-auth-token: bXlTZWNyZXQrbXlDbGllbfRJZA=="Once you authenticate a user (for example the /v2/auth/login endpoint), you will get the following response:
{
"access": "eyJraWQiOiJ...", // The Access Token (JWT)
"refresh": "eyJjdHkiOiJ...", // The Refresh Token
"expiresIn": 3600 // Access token expires in 3600s (1h)
}Include the access token in the Authorization header using the Bearer schema.
Authorization: Bearer <YOUR_ACCESS_TOKEN>When your Access Token expires, use the Refresh Token to obtain a new pair of tokens on the /v1/auth/refresh endpoint.
Body:
{
"refresh": "<YOUR_REFRESH_TOKEN>"
}Response
{
"access": "eyJraWQiOiJ...", // New Access Token
"refresh": "eyJjdHkiOiJ...", // New Refresh Token (will be different, store this one now)
"expiresIn": 3600 // Access token expires in 3600s (1h)
}