# Admin Token

### Initial Admin Login

When an admin attempts to log in for the first time:

1. Send a `POST` request to the `/api/admin/login_check` endpoint with the admin's credentials as a JSON payload.

```json
{
  "username": "admin@example.com",
  "password": "password123"
}
```

2. Upon successful authentication, OpenLoyalty will return a response containing a JWT token and a refresh token:

```json
{
  "token": "eyJhbGciOiJSUzI1NiIsInR5cCI...",
  "refresh_token": "def50200a2e8c9a2..."
}
```

This JWT token is critical as it must be included in the `Authorization` header as a Bearer token for all subsequent requests to the API.

***

### Maintaining Authentication State

The JWT token has a validity period of 24 hours. To continue interacting with the API beyond this period without requiring the admin to log in again, you will need to refresh the token.

{% hint style="danger" %}
To ensure optimal performance of your environment, it's crucial to avoid frequent requests for JWT tokens, as this can significantly impact system efficiency.

The `/api/admin/login_check` and `/api/token/refresh` endpoints are limited to 20 requests per minute (RPM).
{% endhint %}

1. Send a `POST` request to the `/api/token/refresh` endpoint with the refresh token before the JWT token expires:

```json
{
  "refresh_token": "def50200a2e8c9a2..."
}
```

2. If the refresh token is valid, OpenLoyalty will issue a new JWT token along with a new refresh token.

```json
{
  "token": "eyJhbGciOiJSUzI1NiIsInR5cCI...",
  "refresh_token": "ghi78900b3f1c9d3..."
}
```

Replace the old JWT token with the new one in the `Authorization` header for all future requests.

<figure><img src="https://content.gitbook.com/content/gIv2CyIIYf7vRfuhMKQ6/blobs/srffkeUAmnPWfqlZWWkN/image%20(13).png" alt=""><figcaption><p>Sequence diagram for the authentication flow</p></figcaption></figure>

***

### Best Practices

* **Token Storage**: Store the JWT and refresh tokens securely, and never expose them to unauthorized entities.
* **Error Handling**: Implement error handling for scenarios where the token refresh fails, prompting to re-authenticate if necessary.

By following these steps and best practices, you can integrate OpenLoyalty's authentication flow into your application, ensuring secure and seamless access to its API.

***

{% hint style="success" %}
For additional details and best practices, you should consult the official OpenLoyalty API documentation (<https://apidocs.openloyalty.io/>), as it will provide the most accurate and up-to-date information, including any recent changes to the API, security advisories, and detailed endpoint descriptions.
{% endhint %}