# Admin Token

### Initial Admin Login

When an admin attempts to log in for the first time:

1. Send a `POST` request to the `/api/admin/login_check` endpoint with the admin's credentials as a JSON payload.

```json
{
  "username": "admin@example.com",
  "password": "password123"
}
```

2. Upon successful authentication, OpenLoyalty will return a response containing a JWT token and a refresh token:

```json
{
  "token": "eyJhbGciOiJSUzI1NiIsInR5cCI...",
  "refresh_token": "def50200a2e8c9a2..."
}
```

This JWT token is critical as it must be included in the `Authorization` header as a Bearer token for all subsequent requests to the API.

***

### Maintaining Authentication State

The JWT token has a validity period of 24 hours. To continue interacting with the API beyond this period without requiring the admin to log in again, you will need to refresh the token.

{% hint style="danger" %}
To ensure optimal performance of your environment, it's crucial to avoid frequent requests for JWT tokens, as this can significantly impact system efficiency.

The `/api/admin/login_check` and `/api/token/refresh` endpoints are limited to 20 requests per minute (RPM).
{% endhint %}

1. Send a `POST` request to the `/api/token/refresh` endpoint with the refresh token before the JWT token expires:

```json
{
  "refresh_token": "def50200a2e8c9a2..."
}
```

2. If the refresh token is valid, OpenLoyalty will issue a new JWT token along with a new refresh token.

```json
{
  "token": "eyJhbGciOiJSUzI1NiIsInR5cCI...",
  "refresh_token": "ghi78900b3f1c9d3..."
}
```

Replace the old JWT token with the new one in the `Authorization` header for all future requests.

<figure><img src="/files/ZDYLB83QeyWl6rnKevN8" alt=""><figcaption><p>Sequence diagram for the authentication flow</p></figcaption></figure>

***

### Best Practices

* **Token Storage**: Store the JWT and refresh tokens securely, and never expose them to unauthorized entities.
* **Error Handling**: Implement error handling for scenarios where the token refresh fails, prompting to re-authenticate if necessary.

By following these steps and best practices, you can integrate OpenLoyalty's authentication flow into your application, ensuring secure and seamless access to its API.

***

{% hint style="success" %}
For additional details and best practices, you should consult the official OpenLoyalty API documentation (<https://apidocs.openloyalty.io/>), as it will provide the most accurate and up-to-date information, including any recent changes to the API, security advisories, and detailed endpoint descriptions.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.openloyalty.io/technical-guide/authentication/admin-token.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.