Vendy authenticates your API request using the JWT token generated upon successful authentication of your (email|username) and password. To use any Vendy API, you must first call the /auth endpoint with your AccessKey & SecretKey in the header of your request.

AccessKey: <found in the Settings page of the dashboard>

SecretKey: <found in the Settings page of the dashboard>

Upon successful authentication, a time-bound JWT token will be generated and sent back to you in the token response attribute

You will be required to include the JWT token in subsequent requests to the API as part of

Authorization: Bearer <token>.

When architecting your system please be aware that the generated JWT tokens have a 7day expiry time, as indicated in the expiryTime response attribute.

We require that all requests are sent server-to-server. Your app or website should never be directly communicating with the Vendy APIs, as your private connection keys may be exposed in transit. All requests are required to be made via an HTTPS connection; requests made over plain HTTP will fail.



  • If you are authorized to access the requested resources, the resource server will return the requested information.

  • If you are not authorized to access the requested resources, the resource server will return an error message.

  • Do not expose your JWT token. The JWT token allows you to carry out constructive and destructive actions on your account, which may include and not limited to withdrawals, collection requests, account updates.

Protecting your API tokens

  • Do not store API tokens inside your applications source control: If you store API tokens in property or configuration files, keep these files outside your source control systems. This is especially important if you use a public source code management system such as BitBucket. You may want to rely on environment variables or similar runtime injection techniques rather than keeping sensitive keys on disk.

  • Do not embed API keys directly in code: Instead of embedding API keys in your application's code, put them in environment variables or include files that are stored separately from the bulk of your code – outside the source repository of your application.

  • Limit employee access to production API keys: While keys to access our sandbox environment will likely be shared by many developers, access to production keys (when provided) should be limited to only necessary personnel.