# Authentication Reference

We use two different types of authentication:

- **API Secret Authentication**
  - Required for authentication endpoints (like login and refresh).
- **User Authentication (Bearer Token)**
  - Required for accessing user specific endpoints.


## 1. API Secret Authentication (x-auth-token)

All endpoints under `/auth` (such as login, registration, and token refresh) are protected by an API secret. The token is **base64** of `API_SECRET+CLIENT_ID` `x-auth-token` header.

If your secret is `mySecret` and client ID is `myClientId`:


```
1. Concatenate: "mySecret+myClientId"
2. Base64 Encode: "bXlTZWNyZXQrbXlDbGllbnRJZA=="
3. Final Header: "x-auth-token: bXlTZWNyZXQrbXlDbGllbfRJZA=="
```

## 2. User Authentication

Once you authenticate a user (for example the `/v2/auth/login` endpoint), you will get the following response:


```json
{
    "access": "eyJraWQiOiJ...", // The Access Token (JWT)
    "refresh": "eyJjdHkiOiJ...", // The Refresh Token
    "expiresIn": 3600 // Access token expires in 3600s (1h)
}
```

Include the **access token** in the `Authorization` header using the Bearer schema.


```
Authorization: Bearer <YOUR_ACCESS_TOKEN>
```

When your Access Token expires, use the **Refresh Token** to obtain a new pair of tokens on the `/v1/auth/refresh` endpoint.

**Body:**


```json
{
    "refresh": "<YOUR_REFRESH_TOKEN>"
}
```

**Response**


```json
{
    "access": "eyJraWQiOiJ...", // New Access Token
    "refresh": "eyJjdHkiOiJ...", // New Refresh Token (will be different, store this one now)
    "expiresIn": 3600 // Access token expires in 3600s (1h)
}
```