Authentication
We use JWT for the authentication of the API.
Log In
To obtain a token you need to send a request to /v1/login
Request
POST /v1/login HTTP/1.1
Content-Type: application/json
{
"email": "<email_here>",
"password": "<password_here>"
}
Response
{
"success": true,
"data": {
"type": "token",
"access_token": "<token_goes_here>",
"expires_in": 3600
}
}
The token must be supplied in any requests to the API in the Authorization header like so
Authorisation: Bearer <token_goes_here>
Errors
If the supplied credentials are incorrect the following error response will be returned:
{
"message": "'Invalid credentials"
}
Refresh the Token
Sending a authorised request to the /v1/token endpoint will blacklist the token and return a new token with
updated iat (issued at) and nbf (not before) values, extending the length of time a user can remain logged in.
The response will be as follows:
{
"success": true,
"data": {
"type": "refresh_token",
"access_token": "<token_goes_here>",
"token_type": "Bearer",
"expires_in": 3600
}
}
Log Out
Sending an authenticated request to the /v1/logout endpoint will blacklist the supplied token.
OAuth 2.0 - Client id + Client Secret
To obtain a token using a client_id and client_secret you need to send a request to /oauth/token
These tokens are short lived and expire after 15 minutes.
Request
POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json
{
"grant_type": "client_credentials",
"scope": "red-marker-review",
"client_id": "<client_id>",
"client_secret": "<client_secret>",
}
Response
{
"success": true,
"data": {
"type": "token",
"access_token": "<token_goes_here>",
"expires_in": 900
}
}
Refresh the Token
There is no refresh endpoint for these short lived tokens. To obtain a new token, send a request /oauth/token using
the above parameters.
Log Out
Sending an authenticated request to the /v1/logout endpoint will blacklist the supplied token.