# Authentication ### Getting apikey/apptoken To acquire an apikey for your application, you must register your application with Epixel MLM software. Then you will get a unique apikey based on your application type. You will use this apikey in your request's header. Here is an example: `apikey: {apikey}` This will necessary for your every use cases, that means every request's to Epixel MLM API must require have apikey. ### Access and Refresh token The Epixel MLM API uses JSON Web Tokens (JWT) to authenticate user-level access. These tokens offer a method to establish secure server-to-server authentication by transferring a compact JSON object with a signed payload of your account’s details. When authenticating to the Epixel MLM API, there are two JWT's (refresh and access token) should be generated uniquely by a server-side application and included access token as a Bearer Token in the header of each request. Access token has only a limited time validity. After that you need to request for new access token using the refresh token. To get access and refresh token you must request to login endpoint with apikey in header also username and password in the request body. After successfull authentication you will get the access and refresh token for that specific user. ### API Authentication For accessing each endpoint users should have an access token. To receive this, users should authenticate by the username and password provided with the API key. By using this access token users can connect to the API end-points. ### Login `POST` `‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎https://///user/login/` This API endpoint will return an access and refresh token for the user. #### Headers | Name | Type | Description | | ---------------------------------------- | ------ | ----------- | | apikey\* | string | | #### Request Body | Name | Type | Description | | ------------------------------------------ | ------ | ----------- | | username\* | string | | | password\* | string | | {% tabs %} {% tab title="200 " %} ```markup HTTP/1.1 200 OK Content-Type: application/json Body: { "refresh": , "access": } ``` {% endtab %} {% endtabs %} #### Sample Code **Node** ```javascript var request = require('request'); var options = { 'method': 'POST', 'url': '‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎https://///user/login/', 'headers': { 'apikey': '', }, formData: { 'username': '', 'password': '' } }; request(options, function (error, response) { if (error) throw new Error(error); console.log(response.body); }); ``` **PHP** ```php "‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎‎https://///user/login/", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 0, CURLOPT_FOLLOWLOCATION => true, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "POST", CURLOPT_POSTFIELDS => array('username' => '','password' => ''), CURLOPT_HTTPHEADER => array( "apikey: " ), )); $response = curl_exec($curl); curl_close($curl); echo $response; ``` **Error** **Reponses** | Status | Code Error | Type Description | | ------ | --------------------- | ----------------------------------------------------------------------------------------------- | | 401 | Authentication failed | The supplied authentication credentials are invalid. | | 401 | **I**nactive Account | No active account found with the given credentials. | | 401 | Access Blocked | Your account is blocked due to too many failed log-in attempts. Please try again in 10 minutes. | ### Token Refresh `POST` `‎‎https://///user/token/refresh/` This API endpoint will return a new access token for the user. #### Headers | Name | Type | Description | | ---------------------------------------- | ------ | ----------- | | apikey\* | string | apikey | #### Request Body | Name | Type | Description | | ----------------------------------------- | ------ | -------------- | | refresh\* | string | R‎efresh Token | {% tabs %} {% tab title="200 " %} ```markup HTTP/1.1 200 OK Content-Type: application/json Body: { "access": } ``` {% endtab %} {% endtabs %} #### Sample code **Node** ```javascript var request = require('request'); var options = { 'method': 'POST', 'url': '‎https://///user/token/refresh/', 'headers': { 'apikey': '' }, formData: { 'refresh': '' } }; request(options, function (error, response) { if (error) throw new Error(error); console.log(response.body); }); ``` **PHP** ```php "‎https://///user/token/refresh/", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 0, CURLOPT_FOLLOWLOCATION => true, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "POST", CURLOPT_POSTFIELDS => array('refresh' => ''), CURLOPT_HTTPHEADER => array( "apikey: " ), )); $response = curl_exec($curl); curl_close($curl); echo $response; ``` #### Error Responses | Status Code | Error Type | Field | Description | | ----------- | ---------------- | ------- | ---------------------------------------------------- | | 400 | Validation Error | refresh | The supplied authentication credentials are invalid. | | 400 | Validation Error | refresh | No active account found with the given credentials. | ### Logout `POST` `‎‎https://///user/logout/` This API endpoint will blacklist the refresh token generated for the user. #### Headers | Name | Type | Description | | ----------------------------------------------- | ------ | -------------------------- | | apikey\* | string | apikey | | Authorization\* | string | Authorization Bearer Token | #### Request Body | Name | Type | Description | | ----------------------------------------- | ------ | ------------- | | refresh\* | string | refresh token | {% tabs %} {% tab title="200 " %} ```markup HTTP/1.1 200 OK Content-Type: application/json Body: { "status_code": 200, "errors": {}, "data": {} } ``` {% endtab %} {% endtabs %} #### Sample code **Node** ```javascript var request = require('request'); var options = { 'method': 'POST', 'url': '‎https://///user/logout/', 'headers': { 'apikey': '', 'Authorization': 'Bearer ' }, formData: { 'refresh': '' } }; request(options, function (error, response) { if (error) throw new Error(error); console.log(response.body); }); ``` **PHP** ```php "‎https://///user/logout/", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 0, CURLOPT_FOLLOWLOCATION => true, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "POST", CURLOPT_POSTFIELDS => array('refresh' => ''), CURLOPT_HTTPHEADER => array( "apikey: ", "Authorization: Bearer " ), )); $response = curl_exec($curl); curl_close($curl); echo $response; ``` #### Error Responses Same error reponses of token refresh endpoint ### Common Authentication Error Responses | Status Code | Error Type | Description | | ----------- | ------------------------ | ------------------------------------------------------------- | | 401 | Bad Authorization Header | Missing required authorization header. | | 401 | Bad Authorization Header | Authorization header must contain two space-delimited values. | | 401 | Invalid Access Token | The supplied access token is invalid or expired. |