Authentication

Overview


The Authentication endpoints issue JWT access tokens and refresh tokens. All other API endpoints require a valid access token in the Authorization header.

These endpoints are anonymous — no prior authentication is needed.

EndpointMethodPurpose
/v2/authenticationPOSTExchange username and password for tokens.
/v2/authentication/refresh-tokenPOSTExchange both the current access token and refresh token (in the JSON body) for new tokens.

Obtain Tokens

Endpoint: POST /v2/authentication

Request Body

FieldTypeRequiredDescription
Usernamestring✅ YesYour API account username.
Passwordstring✅ YesYour API account password.

Example request:

import requests

response = requests.post(
    "https://api.prod1.valu8group.com/v2/authentication",
    json={
        "Username": "<your-username>",
        "Password": "<your-password-here>"
    }
)

print(response.json())

Success Response (HTTP 200)

Returns an AuthenticateResponse JSON body with access and refresh tokens.

FieldTypeDescription
AccessTokenTokenJWT access token for authenticated API calls. See Section 5.
RefreshTokenTokenOpaque refresh token for obtaining new access tokens. See Section 5.

Example response:

{
  "AccessToken": {
    "Value": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9...",
    "ExpiresAt": "2026-08-27T10:00:00Z"
  },
  "RefreshToken": {
    "Value": "k8fJ2mN9pQ1rS4tU7vW0xY3zA6bC8dE0fG2hI4jK6lM8nO0pQ2rS4tU6vW8xY0zA==",
    "ExpiresAt": "2026-08-27T10:00:00Z"
  }
}

Important!

It's important that you NOT create a new access token with each new request. Instead, reuse the same access token as long as it is valid, (i.e. the date for expireAt has not expired) Currently the expiration time is 3 months.

When you have recieved an access token, then include it in subsequent requests as a header like this:

Authorization: Bearer <access_token>

Failed Authentication (HTTP 404)

Returned with an empty body when the username or password is invalid. The API does not return 401 for invalid credentials on this endpoint.

Validation Error (HTTP 422)

Returned when required fields are missing or the password is too short (model validation).


Refresh Tokens

Endpoint: POST /v2/authentication/refresh-token

Use this endpoint to obtain a new access token before the current one expires, without re-entering credentials.

Both tokens required. You must send both AccessToken and RefreshToken in the JSON request body. The access token may be expired, but it must still be parseable so the API can identify your account. Sending only the refresh token is not supported. Do not use the Authorization header on this call — pass the access token as the AccessToken field in the body together with RefreshToken.

3.1 Request Body

FieldTypeRequiredDescription
AccessTokenstring✅ YesThe current access token (AccessToken.Value from your last login or refresh). May be expired; used to identify the user. Required together with RefreshToken.
RefreshTokenstring✅ YesThe refresh token (RefreshToken.Value from your last login or refresh). Must match the token stored for your user and must not be expired. Required together with AccessToken.

Example request:

import requests

response = requests.post(
    "https://api.prod1.valu8group.com/v2/authentication/refresh-token",
    json={
        "accessToken": "<your-existing-access-token>",
        "refreshToken": "<your-existing-refresh-token>"
    }
)

print(response.json())

3.2 Success Response (HTTP 200)

Returns the same structure as authentication — a new AccessToken and RefreshToken. The previous refresh token is invalidated when a new one is issued.

3.3 Failed Refresh (HTTP 404)

Returned with an empty body when:

  • The access token cannot be parsed or validated.
  • The refresh token does not match the stored token for the user.
  • The refresh token has expired.


How do I get or reset my password?

You can find this information in the "Password management" section of the documentation here.