Get Token
Authenticate users and obtain access tokens for API access. This endpoint validates user credentials and returns JWT tokens for subsequent API calls.
Endpoint
- URL:
/api/v1/sign-in - Method:
POST - Auth Required: No
- Content-Type:
application/json
Request Structure
| Field | Type | Required | Description |
|---|---|---|---|
| partnerCode | string | No | Partner code/account identifier |
| userName | string | No | Username for authentication |
| password | string | No | Password for authentication |
Example Request:
{
"partnerCode": "CUST001",
"userName": "john.doe@example.com",
"password": "SecurePassword123!"
}
Request Constraints & Business Rules
- At least one of
partnerCodeoruserNamemust be provided to identify the user. - Password must be provided for authentication.
- Credentials are validated against the user database.
- Failed authentication attempts may be rate-limited for security.
- Account lockout policies may apply after multiple failed attempts.
Response Structure
| Field | Type | Nullable | Description |
|---|---|---|---|
| accessToken | string | Yes | JWT access token for API authentication |
| refreshToken | string | Yes | Refresh token for obtaining new access tokens |
| issuedAt | string | No | Token issue timestamp (ISO 8601 format) |
| expiresAt | string | No | Token expiration timestamp (ISO 8601 format) |
| expiresIn | integer | No | Token lifetime in seconds |
Example Response:
{
"accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"refreshToken": "def50200a1b2c3d4e5f6...",
"issuedAt": "2024-07-01T10:00:00Z",
"expiresAt": "2024-07-01T11:00:00Z",
"expiresIn": 3600
}
Error Codes
See Error Codes for details on possible error responses.
Security & Validation
- Passwords are validated against stored hashes using secure algorithms.
- JWT tokens are signed with secret keys for integrity verification.
- Access tokens have limited lifetime for security (typically 1 hour).
- Refresh tokens have longer lifetime but can be revoked.
- All authentication attempts are logged for security monitoring.
- Input validation prevents injection attacks.
Token Usage
After successful authentication:
- Access Token: Use in
Authorization: Bearer <access_token>header for API calls - Refresh Token: Use with
/api/v1/refresh-tokento obtain new access tokens - Token Expiry: Monitor
expiresAtand refresh before expiration - Token Storage: Store tokens securely (avoid localStorage in browsers)
Integration Examples
cURL Example
curl -X POST "https://api.example.com/api/v1/sign-in" \
-H "Content-Type: application/json" \
-d '{
"partnerCode": "CUST001",
"userName": "john.doe@example.com",
"password": "SecurePassword123!"
}'
JavaScript Example
const response = await fetch('/api/v1/sign-in', {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({
partnerCode: 'CUST001',
userName: 'john.doe@example.com',
password: 'SecurePassword123!'
})
});
const result = await response.json();
if (result.status) {
// Store tokens for subsequent API calls
localStorage.setItem('accessToken', result.accessToken);
localStorage.setItem('refreshToken', result.refreshToken);
}
Validation Questions
- What password complexity requirements are enforced?
- How long are access tokens and refresh tokens valid?
- Are there rate limits on authentication attempts?
- What account lockout policies are in place?
- How are expired or invalid tokens handled?
- Is multi-factor authentication supported?
- Can users have multiple active sessions?
For integration support, see Contact Support.