LogoLogo
HomepageCase studiesBook a demo
Technical Guide
Technical Guide
  • Introduction
  • Getting Started Guide
    • Authentication
    • Member Registration Configuration
    • Add Webhook
    • Add Member
    • Create Campaign
    • Add Transaction
    • Add Custom Event Schema
    • Create Achievement
    • Add Custom Event
  • Terms Reference
  • Backward Compatibility Policy
  • API Reference
  • Postman Collection
  • User Guide
  • Integration
    • Introduction
    • Overview of Integration Methods
    • Tools and Technologies
    • Integration Examples
      • Lambda
      • Zapier
      • AWS EventBridge
      • Kafka
  • API Fundamentals
    • Overview
    • Environments Capabilities
    • How to Query
    • Limits
    • Best Practices
  • Authentication
    • Admin Token
    • Access Token (API Key)
    • Enabling SSO Login
      • Okta
      • Microsoft Entra ID
  • Webhooks
    • Overview
    • Best Practices
  • S3 Bucket Data exports
    • Overview
    • Set Up S3 Bucket Integration
    • Data Structure and Types
      • Achievements
      • Achievement Usage
      • Campaigns
      • Campaign Calculated Effect Result
      • Campaign Execution
      • Custom Events
      • Members
      • Rewards
      • Rewards Redemption
      • Tiers
      • Transactions
      • Tenants
      • Unit Transfers
Powered by GitBook
On this page
  • Initial Admin Login
  • Maintaining Authentication State
  • Best Practices

Was this helpful?

  1. Authentication

Admin Token

Securing your application with OpenLoyalty starts with a robust authentication flow. OpenLoyalty leverages JSON Web Tokens (JWT) to ensure that requests to its API are authorized.

Initial Admin Login

When an admin attempts to log in for the first time:

  1. Send a POST request to the /api/admin/login_check endpoint with the admin's credentials as a JSON payload.

{
  "username": "admin@example.com",
  "password": "password123"
}
  1. Upon successful authentication, OpenLoyalty will return a response containing a JWT token and a refresh token:

{
  "token": "eyJhbGciOiJSUzI1NiIsInR5cCI...",
  "refresh_token": "def50200a2e8c9a2..."
}

This JWT token is critical as it must be included in the Authorization header as a Bearer token for all subsequent requests to the API.


Maintaining Authentication State

The JWT token has a validity period of 24 hours. To continue interacting with the API beyond this period without requiring the admin to log in again, you will need to refresh the token.

To ensure optimal performance of your environment, it's crucial to avoid frequent requests for JWT tokens, as this can significantly impact system efficiency.

The /api/admin/login_check and /api/token/refresh endpoints are limited to 20 requests per minute (RPM).

  1. Send a POST request to the /api/token/refresh endpoint with the refresh token before the JWT token expires:

{
  "refresh_token": "def50200a2e8c9a2..."
}
  1. If the refresh token is valid, OpenLoyalty will issue a new JWT token along with a new refresh token.

{
  "token": "eyJhbGciOiJSUzI1NiIsInR5cCI...",
  "refresh_token": "ghi78900b3f1c9d3..."
}

Replace the old JWT token with the new one in the Authorization header for all future requests.


Best Practices

  • Token Storage: Store the JWT and refresh tokens securely, and never expose them to unauthorized entities.

  • Error Handling: Implement error handling for scenarios where the token refresh fails, prompting to re-authenticate if necessary.

By following these steps and best practices, you can integrate OpenLoyalty's authentication flow into your application, ensuring secure and seamless access to its API.


Last updated 9 months ago

Was this helpful?

For additional details and best practices, you should consult the official OpenLoyalty API documentation (), as it will provide the most accurate and up-to-date information, including any recent changes to the API, security advisories, and detailed endpoint descriptions.

https://apidocs.openloyalty.io/
Sequence diagram for the authentication flow