# Authentication

## Access token <a href="#access-token" id="access-token"></a>

All HTTP requests to the API must be authorized with a JWT access token via bearer authentication. The access token must be sent in the `Authorization` header. Example:

```
curl -H "Authorization: Bearer <token>" https://api.didomi.io/v1/properties
```

All API requests must be made over HTTPS. Calls made over plain HTTP will get a 301 response redirecting to their HTTPS equivalent. Calls without a valid authorization token will fail with a `401` error code.‌

## Authentication workflow <a href="#authentication-workflow" id="authentication-workflow"></a>

Start by connecting to the Didomi console. Navigate to the adequate organization and go to `Settings/Private API keys.` There you will be able to generate a Private API key and a secret.‌

To generate an access token, send an HTTP `POST` request to `https://api.didomi.io/v1/sessions` with a JSON body containing the following values:

| Key      | Value           | Description                                                                   |
| -------- | --------------- | ----------------------------------------------------------------------------- |
| `type`   | api-key         | The type of authorization request (in this case, using an API key and secret) |
| `key`    | Your API key    | Use your Private API key                                                      |
| `secret` | Your API secret | Use the secret that you received when you generated your Private API key      |

The `/sessions` endpoint of the API is used to authenticate yourself and obtain a JSON Web Token that should be used for other API calls. All other API endpoints expect a JWT.‌

For a full reference of the endpoint and the resources that it returns, visit <https://api.didomi.io/docs/>.‌

{% hint style="warning" %}
We recommend caching and reusing tokens to avoid generating a new token for every API request.

Tokens will expire after 1 hour so, if you are running a long-term process, make sure to regenerate a new token regularly.
{% endhint %}

**Request example:**

```
curl --request POST --url 'https://api.didomi.io/v1/sessions' --header 'content-type: application/json' --data '{"type": "api-key", "key": "<Your API key>", "secret": "<Your API secret>"}'
```

The response will contain an `access_token` property with the token that you should use for authorizing further requests. If there is a problem authenticating you, a `400` error is returned.‌

**Response example:**

```
{    "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ"}
```