Skip to content

Authentication

We use JWT for the authentication of the API.

Client ID + Secret (OAuth 2.0)

To obtain a token using a client_id and client_secret you need to send a request to /oauth/token These tokens are short lived and expire after 15 minutes.

Request

POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json

grant_type=client_credentials&client_id=<client_id>&client_secret=<client_secret>&scope=red-marker-reviews

Response

{
    "success": true,
    "data": {
        "type": "token",
        "access_token": "<token_goes_here>",
        "expires_in": 900
    }
}

Token Refresh

There is no refresh endpoint for these short lived tokens. To obtain a new token, send a request /oauth/token using the above parameters.

Username + Password

Deprecated

It is preferred to use OAuth to obtain a token to use the Red Marker API. This Authentication mechanism will be deprecated in future.

To obtain a token you need to send a request to /v1/login

Request

POST /v1/login HTTP/1.1
Content-Type: application/json

{
  "email": "<email_here>",
  "password": "<password_here>"
}

Response

{
    "success": true,
    "data": {
        "type": "token",
        "access_token": "<token_goes_here>",
        "expires_in": 3600
    }
}

The token must be supplied in any requests to the API in the Authorization header like so

Authorization: Bearer <token_goes_here>

Errors

If the supplied credentials are incorrect the following error response will be returned:

{
    "message": "'Invalid credentials"
}

Token Refresh

Sending a authorised request to the /v1/token endpoint will blacklist the token and return a new token with updated iat (issued at) and nbf (not before) values, extending the length of time a user can remain logged in.

The response will be as follows:

{
    "success": true,
    "data": {
        "type": "refresh_token",
        "access_token": "<token_goes_here>",
        "token_type": "Bearer",
        "expires_in": 3600
    }
}

Log Out

Sending an authenticated request to the /v1/logout endpoint will blacklist the supplied token.