Authentication
API authentication and security
2 min read
Authentication
SmartWMS API uses JWT (JSON Web Tokens) for authentication.
Getting API Credentials
- Log in to SmartWMS
- Go to Configuration → API Keys
- Click Generate New Key
- Copy your API key (shown only once)
Authentication Flow
1. Login to get tokens:POST /api/v1/auth/login
Content-Type: application/json
{
"email": "user@company.com",
"password": "your_password"
}
{
"success": true,
"data": {
"token": "eyJhbGciOiJIUzI1NiIs...",
"refreshToken": "dGhpcyBpcyBhIHJl...",
"expiresAt": "2024-01-15T12:00:00Z"
}
}GET /api/v1/products
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...Token Refresh
Tokens expire after 1 hour. Refresh before expiry:
POST /api/v1/auth/refresh
Content-Type: application/json
{
"refreshToken": "dGhpcyBpcyBhIHJl..."
}
API Keys
For server-to-server integration, use API keys:
GET /api/v1/products
X-API-Key: your_api_key_here- No expiration (until revoked)
- Scoped permissions
- IP whitelist support
Security Best Practices
Do:- Store credentials securely
- Use HTTPS only
- Rotate keys periodically
- Use minimum required permissions
- Implement IP whitelisting
- Commit credentials to code
- Share keys between environments
- Use production keys in development
- Log tokens or keys
Permission Scopes
API keys can have limited scopes:
| Scope | Access |
|---|
| read:products | Read product data |
|---|---|
| write:products | Create/update products |
| read:orders | Read order data |
| write:orders | Create/update orders |
| read:inventory | Read stock levels |
| write:inventory | Adjust inventory |
| admin | Full access |
Multi-Tenant Access
When accessing tenant data:
GET /api/v1/products
Authorization: Bearer token
X-Tenant-Id: your_tenant_idRevoking Access
To revoke an API key:
- Go to Configuration → API Keys
- Find the key
- Click Revoke
- Confirm revocation