Authentication

Authentication is based on JSON Web Token (JWT) (RFC 7519). Clients authenticate using credentials to obtain:

All protected APIs require the Access Token in the header:

CODE

Content-Type: application/json
X-Authorization: Bearer <AccessToken>

Note: The Access Token API itself does not require X-Authorization.

Resellers can access a child account (at any level) without needing the child’s API credentials.

Authenticates a user and returns Access/Refresh tokens.

CODE

POST /api/login

CODE

Content-Type: application/json
X-Requested-With: XMLHttpRequest

Field	Mandatory	Description
username	Yes	User name for the organization
password	Yes	Password for the user
targetAccountId	No	Child organization account ID (available only at reseller level)

Field	Description
AccessToken	Access Token for the requested account
RefreshToken	Refresh Token for the requested account

Generates a new Access Token and Refresh Token using the Refresh Token.

CODE

GET /api/RefreshToken

CODE

Content-Type: application/json
X-Requested-With: XMLHttpRequest
X-Authorization: Bearer <RefreshToken>

Field	Description
AccessToken	New access token
RefreshToken	New refresh token

Code	Description
10126	BadCredential Exception: Username or Password not valid
10117	Incorrect value in `targetAccountId`
11044	Account blocked due to multiple failed login attempts (reset password via “Forgot Password”)
10126	Timeout may be returned with timeout messaging (see Response Time & Timeout)

In the Postman collection, the returned Access Token is typically saved into the environment variable (e.g. Auth_Key) and automatically sent in subsequent API calls.