Member Token

This article guides you through the process of authenticating members and how to manage their session tokens effectively.

Initial Admin Login

When a member attempts to log in for the first time:

  1. Send a POST request to the /api/{storeCode}/member/login_check endpoint with the member's credentials as a JSON payload.

{
  "username": "user@example.com",
  "password": "password123"
}
  1. Upon successful authentication, OpenLoyalty will return a response containing a JWT token and a refresh token:

{
  "token": "eyJhbGciOiJSUzI1NiIsInR5cCI...",
  "refresh_token": "def50200a2e8c9a2..."
}

This JWT token is critical as it must be included in the Authorization header as a Bearer token for the subsequent requests to the API.

Please note the list of endpoints utilizing a member's token is limited. The complete list can be found below the hint.

For the remaining endpoints, you still need to use the admin token.

List of endpoints utilizing member's token

Maintaining Authentication State

The JWT token has a validity period of 24 hours. To continue interacting with the API beyond this period without requiring the member to log in again, you will need to refresh the token.

To ensure optimal performance of your environment, it's crucial to avoid frequent requests for JWT tokens, as this can significantly impact system efficiency.

  1. Send a POST request to the /api/{storeCode}/token/refresh endpoint with the refresh token before the JWT token expires:

{
  "refresh_token": "def50200a2e8c9a2..."
}
  1. If the refresh token is valid, OpenLoyalty will issue a new JWT token along with a new refresh token.

{
  "token": "eyJhbGciOiJSUzI1NiIsInR5cCI...",
  "refresh_token": "ghi78900b3f1c9d3..."
}

Replace the old JWT token with the new one in the Authorization header for all future requests utilizing member's token.


Best Practices

  • Token Security: It is critical to handle JWT tokens securely to protect them from interception or unauthorized access.

  • Token Refresh Strategy: Implementing an automated refresh token strategy will enhance the user experience by preventing session disruptions.

  • Error Handling: Your client application should be equipped to handle errors during the authentication process, including scenarios where the refresh token has expired, necessitating a full re-authentication.

By following these steps and best practices, you can integrate OpenLoyalty's authentication flow into your application, ensuring secure and seamless access to its API.


For additional details and best practices, you should consult the official OpenLoyalty API documentation (https://apidocs.openloyalty.io/), as it will provide the most accurate and up-to-date information, including any recent changes to the API, security advisories, and detailed endpoint descriptions.

Last updated