Authentication

Obtain and use access tokens to authenticate API requests.

GET /api/login-token
Overview

The login-token endpoint uses HTTP Basic Authentication to generate or retrieve an access token for the authenticated user.

Token Reuse

This endpoint intelligently manages tokens:

  • If you already have a valid unexpired token, it returns the existing token
  • If no token exists or your token has expired, it creates a new one
  • This prevents token proliferation and ensures consistent authentication
Request
HTTP Method: GET
Headers
Header Value Description
Authorization Basic {credentials} Base64-encoded email:password
Creating Basic Auth Credentials
JavaScript / Browser
const email = 'user@example.com';
const password = 'securePassword123';

// Using btoa() for base64 encoding
const credentials = btoa(`${email}:${password}`);

// Result: dXNlckBleGFtcGxlLmNvbTpzZWN1cmVQYXNzd29yZDEyMw==
Node.js
const email = 'user@example.com';
const password = 'securePassword123';

// Using Buffer for base64 encoding
const credentials = Buffer.from(`${email}:${password}`).toString('base64');

// Result: dXNlckBleGFtcGxlLmNvbTpzZWN1cmVQYXNzd29yZDEyMw==
Python
import base64

email = 'user@example.com'
password = 'securePassword123'

# Using base64 encoding
credentials = base64.b64encode(f'{email}:{password}'.encode()).decode()

# Result: dXNlckBleGFtcGxlLmNvbTpzZWN1cmVQYXNzd29yZDEyMw==
Command Line (bash)
echo -n 'user@example.com:securePassword123' | base64
# Result: dXNlckBleGFtcGxlLmNvbTpzZWN1cmVQYXNzd29yZDEyMw==
Complete Request Examples
const email = 'user@example.com';
const password = 'securePassword123';
const credentials = btoa(`${email}:${password}`);

const response = await fetch('https://backoffice.ddev.site/api/login-token', {
  method: 'GET',
  headers: {
    'Authorization': `Basic ${credentials}`
  }
});

const data = await response.json();
console.log('Access Token:', data.data[0].token);
import axios from 'axios';

const email = 'user@example.com';
const password = 'securePassword123';
const credentials = btoa(`${email}:${password}`);

const response = await axios.get('https://backoffice.ddev.site/api/login-token', {
  headers: {
    'Authorization': `Basic ${credentials}`
  }
});

const token = response.data.data[0].token;
console.log('Access Token:', token);
curl -X GET "https://backoffice.ddev.site/api/login-token" \
  -H "Authorization: Basic $(echo -n 'user@example.com:securePassword123' | base64)"

# Or with username:password directly (curl handles encoding)
curl -X GET "https://backoffice.ddev.site/api/login-token" \
  -u "user@example.com:securePassword123"
import requests
import base64

email = 'user@example.com'
password = 'securePassword123'
credentials = base64.b64encode(f'{email}:{password}'.encode()).decode()

response = requests.get(
    'https://backoffice.ddev.site/api/login-token',
    headers={'Authorization': f'Basic {credentials}'}
)

token = response.json()['data'][0]['token']
print(f'Access Token: {token}')

# Or use requests basic auth helper
from requests.auth import HTTPBasicAuth
response = requests.get(
    'https://backoffice.ddev.site/api/login-token',
    auth=HTTPBasicAuth(email, password)
)
Response
{
  "data": [{
    "id": "123",
    "token": "abc123def456ghi789jkl012mno345pqr678stu901vwx234yz",
    "type": "access_token",
    "uid": "456",
    "expire": 1735689600
  }]
}
Response Fields
Field Type Description
id string Token entity ID
token string The access token to use for API requests
type string Token type (always "access_token")
uid string User ID associated with this token
expire integer Unix timestamp when the token expires
Using the Access Token

Once you have obtained an access token, include it in the Authorization header of all subsequent API requests using the Bearer scheme.

Request Format
GET /api/v1.0/datatable-clients HTTP/1.1
Host: backoffice.ddev.site
Authorization: Bearer abc123def456ghi789jkl012mno345pqr678stu901vwx234yz
Complete Example: Login and Make API Call
// Step 1: Login and get token
const email = 'user@example.com';
const password = 'securePassword123';
const credentials = btoa(`${email}:${password}`);

const loginResponse = await fetch('https://backoffice.ddev.site/api/login-token', {
  method: 'GET',
  headers: {
    'Authorization': `Basic ${credentials}`
  }
});

const loginData = await loginResponse.json();
const accessToken = loginData.data[0].token;

// Step 2: Use token for API requests
const clientsResponse = await fetch('https://backoffice.ddev.site/api/v1.0/datatable-clients', {
  method: 'GET',
  headers: {
    'Authorization': `Bearer ${accessToken}`
  }
});

const clients = await clientsResponse.json();
console.log('Clients:', clients);
# Step 1: Login and get token
TOKEN=$(curl -s -X GET "https://backoffice.ddev.site/api/login-token" \
  -u "user@example.com:securePassword123" \
  | jq -r '.data[0].token')

echo "Token: $TOKEN"

# Step 2: Use token for API requests
curl -X GET "https://backoffice.ddev.site/api/v1.0/datatable-clients" \
  -H "Authorization: Bearer $TOKEN"
import requests
from requests.auth import HTTPBasicAuth

# Step 1: Login and get token
email = 'user@example.com'
password = 'securePassword123'

login_response = requests.get(
    'https://backoffice.ddev.site/api/login-token',
    auth=HTTPBasicAuth(email, password)
)

access_token = login_response.json()['data'][0]['token']
print(f'Token: {access_token}')

# Step 2: Use token for API requests
clients_response = requests.get(
    'https://backoffice.ddev.site/api/v1.0/datatable-clients',
    headers={'Authorization': f'Bearer {access_token}'}
)

clients = clients_response.json()
print(f'Clients: {clients}')
Error Handling
401 Unauthorized - Invalid Credentials
{
  "type": "https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2",
  "title": "Unauthorized",
  "status": 401,
  "detail": "Wrong credentials."
}
401 Unauthorized - Missing Authorization Header
{
  "type": "https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2",
  "title": "Unauthorized",
  "status": 401,
  "detail": "No authentication credentials provided."
}
403 Forbidden - Token Expired

When using an expired token for API requests:

{
  "type": "https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.4",
  "title": "Forbidden",
  "status": 403,
  "detail": "Access token expired."
}

When this occurs, request a new token using the /api/login-token endpoint.

Best Practices
  • Store tokens securely: Never expose tokens in client-side code, logs, or version control
  • Check expiration: Monitor the expire field and refresh tokens before they expire
  • Handle 403 errors: Implement automatic re-authentication when receiving token expired errors
  • Use HTTPS: Always use HTTPS to prevent token interception
  • Token reuse: The endpoint returns existing valid tokens, so it's safe to call repeatedly
  • Never log credentials: Avoid logging Basic Auth credentials or Bearer tokens
  • Implement token caching: Cache tokens client-side to reduce authentication requests
Back to API Home