Authentication
All API endpoints require a JWT Bearer token obtained via login. The token must be included in the Authorization header of every request.
Login
| Property | Value |
|---|---|
| Endpoint | /auth/login |
| Method | POST |
| Content-Type | application/json |
| Authorization | None (initial access) |
Request body
{
"apiKey": "YOUR_API_KEY",
"email": "user@company.com",
"password": "your_password"
}
| Field | Type | Required | Description |
|---|---|---|---|
apiKey | String | Yes* | API key from Settings → ERP Management → API Management |
email | String | Yes | Registered email address |
password | String | Yes | Account password |
* apiKey is used for machine-to-machine authentication. When using Method B (single partner key), provide the partner API key here.
Responses
| Code | Description |
|---|---|
200 | Login successful — returns accessToken and refreshToken |
401 | Unauthorized — invalid credentials |
403 | MFA required |
429 | Too many requests |
Example response
{
"accessToken": "eyJhbGciOiJIUzI1NiJ9...",
"refreshToken": "eyJhbGciOiJIUzI1NiJ9...",
"tokenType": "Bearer"
}
Token refresh
| Property | Value |
|---|---|
| Endpoint | /auth/token-refresh |
| Method | POST |
{
"refreshToken": "eyJhbGciOiJIUzI1NiJ9..."
}