Skip to content

Authentication

We use JWT for the authentication of the API.

Log In

To obtain a token you need to send a request to /v1/login

Request

POST /v1/login HTTP/1.1
Content-Type: application/json

{
  "email": "<email_here>",
  "password": "<password_here>"
}

Response

{
    "success": true,
    "data": {
        "type": "token",
        "access_token": "<token_goes_here>",
        "expires_in": 3600
    }
}

The token must be supplied in any requests to the API in the Authorization header like so

Authorisation: Bearer <token_goes_here>

Errors

If the supplied credentials are incorrect the following error response will be returned:

{
    "message": "'Invalid credentials"
}

Refresh the Token

Sending a authorised request to the /v1/token endpoint will blacklist the token and return a new token with updated iat (issued at) and nbf (not before) values, extending the length of time a user can remain logged in.

The response will be as follows:

{
    "success": true,
    "data": {
        "type": "refresh_token",
        "access_token": "<token_goes_here>",
        "token_type": "Bearer",
        "expires_in": 3600
    }
}

Log Out

Sending an authenticated request to the /v1/logout endpoint will blacklist the supplied token.

OAuth 2.0 - Client id + Client Secret

To obtain a token using a client_id and client_secret you need to send a request to /oauth/token These tokens are short lived and expire after 15 minutes.

Request

POST /oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json

{
  "grant_type": "client_credentials",
  "scope": "red-marker-review",
  "client_id": "<client_id>",
  "client_secret": "<client_secret>",
}

Response

{
    "success": true,
    "data": {
        "type": "token",
        "access_token": "<token_goes_here>",
        "expires_in": 900
    }
}

Refresh the Token

There is no refresh endpoint for these short lived tokens. To obtain a new token, send a request /oauth/token using the above parameters.

Log Out

Sending an authenticated request to the /v1/logout endpoint will blacklist the supplied token.