Vendy authenticates your API request using JWT token generated upon successful authentication of your (email|username) and password. To use any Vendy API, you must first call the /auth endpoint with your base 64 encoded username and password to form a basic authorization header entry. Upon successful authentication, a time bound JWT token will be generated and sent back to you in the token response attribute

You will be required to include the JWT token in subsequent request to the API as part of;

Authorization: Bearer <token>

When architecting your system please be aware that the generated JWT tokens have a 7day expiry time, as indicated in the expiryTime response attribute.

We require that all requests are sent server-to-server. Your app or website should never be directly communicating with the Vendy APIs, as your private connection keys may be exposed in transit. All request are required to be made via an HTTPS connection; requests made over plain HTTP will fail.


usernamestringThe registered email on Vendy
passwordstringThe user's password on Vendy

Example Request

curl --location --request POST '' \
--header 'Authorization: Basic <base64(username:password)>' \
--data-raw '{}'


tokenstringThe JWT to be used for subsequent requests
expiryTimestringA time after which the token will become invalid

Example response

    "token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJqd3RpZCI6IjEyOTM5MTA2LTgwMzgtNGZjNi04ZmFmLTBkNzJhY2VkNTQ3YyIsImlhdCI6MTY4NzQ3Mjk1MSwiZXhwIjoxNjg4NjgyNTUxLCJpc3MiOiJodHRwczovL3ZlbmR5Lm1vbmV5LmNvbS8iLCJqdGkiOiIxMjkzOTEwNi04MDM4LTRmYzYtOGZhZi0wZDcyYWNlZDU0N2MifQ.ps3IGxdlRIr4IFeKtFHEhTW0Mza2BmUwksL6bMAsn9PEikq2JT1vFCdavTlOkf6wXY2LDxXEzWwrz7Blj39yJ-hwrug773qHq7Bk2anFHQJwasKi5qFL9iDliLyic097099sTw70KFZheVepTmflQOYcsKNQ-jJN7lFijDKs1WE",
    "expiryTime": "Thu, 06 Jul 2023 22:35:51 GMT"

Possible errors:

Error CodeDescription
400 (Bad request)The user failed to enter a password and receives an error message that says "data invalid."

Required fields were invalid, and not specified.
401 ( Unauthorized)The user inputs an incorrect password and receives an error message that says "incorrect password".
401 (Unauthorized)The user is unable to activate their accounts and receives an error message stating "Account has not been activated. Check your email for instructions on how to activate it!"
Click Try It! to start a request and see the response here!