Authentication
Auth endpoints are public — they use API Key + Secret (or headers), not Bearer token.
Authenticate
Exchanges API key and secret for access and refresh tokens. Use the returned access_token as Bearer for protected endpoints.
Endpoint: POST /api/v1/auth/authenticate
Request
| Header/Field | Location | Required | Description |
|---|---|---|---|
Api-Key | header | No* | API key (alternative to body) |
Api-Secret | header | No* | API secret (alternative to body) |
api_key | body | Yes* | API key |
secret_key | body | Yes* | API secret |
*Either body or headers required.
Example Request
{
"api_key": "apex_abc123def456",
"secret_key": "64-char-hex-secret"
}
Response — 200 OK
{
"access_token": "eyJhbGciOiJIUzI1NiIs...",
"refresh_token": "eyJhbGciOiJIUzI1NiIs...",
"token_type": "Bearer",
"expires_in": 3600,
"expires_at": "2025-02-14T11:00:00Z"
}
| Status | Description |
|---|---|
| 400 | Bad request |
| 401 | Invalid API key or secret |
Refresh Token
Exchanges a valid refresh token for new access and refresh tokens.
Endpoint: POST /api/v1/auth/refresh
Request Body
{
"refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}
Response — 200 OK
Same structure as Authenticate response.
| Status | Description |
|---|---|
| 400 | Bad request |
| 401 | Invalid or expired refresh token |