API Introduction

The Qpon API supports two authorization methods for authenticating your requests. Choose the method that best fits your use case.

Authorization Methods

1. Bearer Token Authentication

This method uses JWT tokens obtained through the login endpoint. Include the token in the Authorization header.

Usage:

Authorization: Bearer <token>

How to get a token:

1. Call the /api/users/login endpoint with your email and password
2. Extract the access_token from the response
3. Use this token in subsequent API calls

2. API Key Authentication

This method uses API keys for programmatic access. Include both the API key and secret in the request headers.

Usage:

x-api-key: <your-api-key>
x-api-secret: <your-api-secret>

How to get API keys:

1. Call the /api/api-keys endpoint to create an API key
2. Store the returned api_key and api_secret securely
3. Use these credentials in your API requests

Choosing an Authorization Method

• Bearer Token: Best for user-facing applications where users log in with their credentials
• API Key: Best for server-to-server communication, integrations, and automated systems

Security Notes

• Keep your tokens and API keys secure and never expose them in client-side code
• API keys should be rotated regularly for security
• Bearer tokens have expiration times and need to be refreshed
• Use HTTPS for all API requests to protect credentials in transit

Error Responses

Both authorization methods return 401 Unauthorized if:

• The token is invalid or expired
• The API key/secret combination is incorrect
• Required headers are missing

{
  "code": 401,
  "message": "Unauthorized"
}