Authentication
Login API Key to JWT
Exchange your API key for a short-lived JWT used in all subsequent requests.
Endpoint
| Property | Value |
|---|---|
| URL | POST /auth/login |
| Method | POST |
| Auth | None |
| Content-Type | application/json |
Example Request
curl --location '{{baseUrl}}/auth/login' \
--header 'Content-Type: application/json' \
--data-raw '{
"apiKey": "{{partnerApiKey}}"
}'
Partner login
Use your partner API key to obtain a partner JWT.
Request body:
{
"apiKey": "<your-partner-apiKey>"
}
Response:
{
"jwt": "<JWT_STRING>",
"expirationDate": "2026-06-26T07:56:42.199+00:00",
"refreshToken": "<REFRESH_TOKEN>",
"refreshTokenExpiration": "2026-07-25T07:56:42.201+00:00"
}
| Field | Description |
|---|---|
jwt | Use in R-Auth header for all subsequent calls |
expirationDate | Expiry timestamp. Re-login when reached |
refreshToken | Use with /auth/refresh to obtain a new JWT without re-authenticating |
refreshTokenExpiration | Expiry timestamp of the refresh token (~30 days) |
The JWT is short-lived. When it expires, you will receive a 401 response. Re-call /auth/login to obtain a new JWT.
Company login
Use a company API key, returned from Create company, to obtain a company JWT.
Endpoint
| Property | Value |
|---|---|
| URL | POST auth/login |
| Method | POST |
| Auth | None |
| Content-Type | application/json |
Example Request
curl --location '{{baseUrl}}/auth/login' \
--header 'Content-Type: application/json' \
--data-raw '{
"apiKey": "{{companyApiKey}}"
}'
Request body:
{
"apiKey": "<company-apiKey>"
}
Response:
{
"jwt": "<JWT_STRING>",
"expirationDate": "2026-06-01T12:00:00"
}
| Field | Description |
|---|---|
jwt | Use in R-Auth header for all subsequent calls |
expirationDate | Expiry timestamp. Re-login when reached |
The JWT is short-lived. When it expires, you will receive a 401 response. Re-call /auth/login to obtain a new JWT, or use /auth/refresh with your refresh token.
Refresh JWT
Exchange your refresh token for a new JWT without re-authenticating with your API key.
The refresh token is returned from /auth/login and is valid for approximately 30 days.
Endpoint
| Property | Value |
|---|---|
| URL | POST /auth/refresh |
| Method | POST |
| Auth | None |
| Content-Type | application/json |
Example Request
curl --location '{{baseUrl}}/auth/refresh' \
--header 'Content-Type: application/json' \
--data-raw '{
"refreshToken": "{{refreshToken}}"
}'
Request body:
{
"refreshToken": "<refreshToken>"
}
Response:
{
"jwt": "<JWT_STRING>",
"expirationDate": "2026-06-01T12:00:00",
"refreshToken": "<REFRESH_TOKEN>",
"refreshTokenExpiration": "2026-07-01T12:00:00"
}
| Field | Description |
|---|---|
jwt | New JWT to use in the R-Auth header |
expirationDate | Expiry timestamp of the new JWT, approximately 24 hours |
refreshToken | New refresh token. Store this for the next refresh request |
refreshTokenExpiration | Expiry timestamp of the new refresh token, approximately 30 days |
Each refresh call invalidates the old refresh token and issues a new one. Always store the latest refreshToken from the response.