Authentication

The API uses JSON Web Tokens for authentication where necessary. For the rest of this documentation we refer to these as JWT's. To obtain a JWT use the /authenticate endpoint.

Tokens are issued for a lifetime of 15 minutes which should be enough to undertake any action via the API. We may implement long lived tokens based on feedback, but as this is carries an inherent security risk, we require re-authentication with each set of actions.

API requests expect for the API token to be included in all API requests to the server in an X-Auth-Token header as follows:

X-Auth-Token: <your_jwt>

You must replace your_jwt with your personal API key.

POST /authenticate

To obtain a JWT you need to POST your username and password to this endpoint with the structure as outlined here.

The JWT is valid for a period of 15 minutes from the time of issue which should be sufficient to undertake any operations using the API while minimising security risks.

Note: the username and password belong to the store owner. There is currently a limitation of one user account per store.

{
  "username": "<your_username>",
  "password": "<your_password>"
}

If the supplied credentials are valid the above command returns a JSON response with the JWT as outlined below:

{
  "person": {
    "id": "<your_id>",
    "role": "<your_role>"
  },
  "token": "<your_jwt>"
}

GET /info

Once you have a JWT you can check its contents using the /info endpoint. It will return the details as outlined here:

{
    "user_id": 111,
    "seller_account_id": 222,
    "created": "<created_date>",
    "expires": "<expiry_date>",
    "roles": [
        "<your_role>",
        "<your_other_role>"
    ]
}