Authentication
Overview
The Authentication endpoints issue JWT access tokens and refresh tokens. All other API endpoints require a valid access token in the Authorization header.
These endpoints are anonymous — no prior authentication is needed.
| Endpoint | Method | Purpose |
|---|---|---|
/v2/authentication | POST | Exchange username and password for tokens. |
/v2/authentication/refresh-token | POST | Exchange both the current access token and refresh token (in the JSON body) for new tokens. |
Obtain Tokens
Endpoint: POST /v2/authentication
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
Username | string | ✅ Yes | Your API account username. |
Password | string | ✅ Yes | Your API account password. |
Example request:
import requests
response = requests.post(
"https://api.prod1.valu8group.com/v2/authentication",
json={
"Username": "<your-username>",
"Password": "<your-password-here>"
}
)
print(response.json())Success Response (HTTP 200)
Returns an AuthenticateResponse JSON body with access and refresh tokens.
Example response:
{
"AccessToken": {
"Value": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9...",
"ExpiresAt": "2026-08-27T10:00:00Z"
},
"RefreshToken": {
"Value": "k8fJ2mN9pQ1rS4tU7vW0xY3zA6bC8dE0fG2hI4jK6lM8nO0pQ2rS4tU6vW8xY0zA==",
"ExpiresAt": "2026-08-27T10:00:00Z"
}
}Important!
It's important that you NOT create a new access token with each new request. Instead, reuse the same access token as long as it is valid, (i.e. the date for expireAt has not expired) Currently the expiration time is 3 months.
When you have recieved an access token, then include it in subsequent requests as a header like this:
Authorization: Bearer <access_token>
Failed Authentication (HTTP 404)
Returned with an empty body when the username or password is invalid. The API does not return 401 for invalid credentials on this endpoint.
Validation Error (HTTP 422)
Returned when required fields are missing or the password is too short (model validation).
Refresh Tokens
Endpoint: POST /v2/authentication/refresh-token
Use this endpoint to obtain a new access token before the current one expires, without re-entering credentials.
Both tokens required. You must send both
AccessTokenandRefreshTokenin the JSON request body. The access token may be expired, but it must still be parseable so the API can identify your account. Sending only the refresh token is not supported. Do not use theAuthorizationheader on this call — pass the access token as theAccessTokenfield in the body together withRefreshToken.
3.1 Request Body
| Field | Type | Required | Description |
|---|---|---|---|
AccessToken | string | ✅ Yes | The current access token (AccessToken.Value from your last login or refresh). May be expired; used to identify the user. Required together with RefreshToken. |
RefreshToken | string | ✅ Yes | The refresh token (RefreshToken.Value from your last login or refresh). Must match the token stored for your user and must not be expired. Required together with AccessToken. |
Example request:
import requests
response = requests.post(
"https://api.prod1.valu8group.com/v2/authentication/refresh-token",
json={
"accessToken": "<your-existing-access-token>",
"refreshToken": "<your-existing-refresh-token>"
}
)
print(response.json())3.2 Success Response (HTTP 200)
Returns the same structure as authentication — a new AccessToken and RefreshToken. The previous refresh token is invalidated when a new one is issued.
3.3 Failed Refresh (HTTP 404)
Returned with an empty body when:
- The access token cannot be parsed or validated.
- The refresh token does not match the stored token for the user.
- The refresh token has expired.
How do I get or reset my password?
You can find this information in the "Password management" section of the documentation here.