Vendy authenticates your API request using JWT token generated upon successful authentication of your (email|username) and password. To use any Vendy API, you must first call the /auth endpoint with your base 64 encoded username and password to form a basic authorization header entry. Upon successful authentication, a time bound JWT token will be generated and sent back to you in the token response attribute
You will be required to include the JWT token in subsequent request to the API as part of;
Authorization: Bearer <token>
When architecting your system please be aware that the generated JWT tokens have a 7day expiry time, as indicated in the expiryTime response attribute.
We require that all requests are sent server-to-server. Your app or website should never be directly communicating with the Vendy APIs, as your private connection keys may be exposed in transit. All request are required to be made via an HTTPS connection; requests made over plain HTTP will fail.
Request:
| Field | Type | Description |
|---|---|---|
| username | string | The registered email on Vendy |
| password | string | The user's password on Vendy |
Example Request
curl --location --request POST 'https://api.vendy.money/auth' \
--header 'Authorization: Basic <base64(username:password)>' \
--data-raw '{}'
Response:
| Field | Type | Description |
|---|---|---|
| token | string | The JWT to be used for subsequent requests |
| expiryTime | string | A time after which the token will become invalid |
Example response
{
"token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJqd3RpZCI6IjEyOTM5MTA2LTgwMzgtNGZjNi04ZmFmLTBkNzJhY2VkNTQ3YyIsImlhdCI6MTY4NzQ3Mjk1MSwiZXhwIjoxNjg4NjgyNTUxLCJpc3MiOiJodHRwczovL3ZlbmR5Lm1vbmV5LmNvbS8iLCJqdGkiOiIxMjkzOTEwNi04MDM4LTRmYzYtOGZhZi0wZDcyYWNlZDU0N2MifQ.ps3IGxdlRIr4IFeKtFHEhTW0Mza2BmUwksL6bMAsn9PEikq2JT1vFCdavTlOkf6wXY2LDxXEzWwrz7Blj39yJ-hwrug773qHq7Bk2anFHQJwasKi5qFL9iDliLyic097099sTw70KFZheVepTmflQOYcsKNQ-jJN7lFijDKs1WE",
"expiryTime": "Thu, 06 Jul 2023 22:35:51 GMT"
}
Possible errors:
| Error Code | Description |
|---|---|
| 400 (Bad request) | The user failed to enter a password and receives an error message that says "data invalid." Required fields were invalid, and not specified. |
| 401 ( Unauthorized) | The user inputs an incorrect password and receives an error message that says "incorrect password". |
| 401 (Unauthorized) | The user is unable to activate their accounts and receives an error message stating "Account has not been activated. Check your email for instructions on how to activate it!" |