Authentication
We use JWT for the authentication of the API.
Client ID + Secret (OAuth 2.0)
To obtain a token using a client_id and client_secret you need to send a request to /oauth/token
These tokens are short lived and expire after 15 minutes.
Request
POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json
grant_type=client_credentials&client_id=<client_id>&client_secret=<client_secret>&scope=red-marker-reviews
Response
{
"success": true,
"data": {
"type": "token",
"access_token": "<token_goes_here>",
"expires_in": 900
}
}
Token Refresh
There is no refresh endpoint for these short lived tokens. To obtain a new token, send a request /oauth/token using
the above parameters.
Username + Password
Deprecated
It is preferred to use OAuth to obtain a token to use the Red Marker API. This Authentication mechanism will be deprecated in future.
To obtain a token you need to send a request to /v1/login
Request
POST /v1/login HTTP/1.1
Content-Type: application/json
{
"email": "<email_here>",
"password": "<password_here>"
}
Response
{
"success": true,
"data": {
"type": "token",
"access_token": "<token_goes_here>",
"expires_in": 3600
}
}
The token must be supplied in any requests to the API in the Authorization header like so
Authorization: Bearer <token_goes_here>
Errors
If the supplied credentials are incorrect the following error response will be returned:
{
"message": "'Invalid credentials"
}
Token Refresh
Sending a authorised request to the /v1/token endpoint will blacklist the token and return a new token with
updated iat (issued at) and nbf (not before) values, extending the length of time a user can remain logged in.
The response will be as follows:
{
"success": true,
"data": {
"type": "refresh_token",
"access_token": "<token_goes_here>",
"token_type": "Bearer",
"expires_in": 3600
}
}
Log Out
Sending an authenticated request to the /v1/logout endpoint will blacklist the supplied token.