Authentication

Service Accounts
Use the /sa endpoints with auth by Service Account security scheme with an API key as the sipmle bearer token. It is recommended to use for server-to-server communication only.
JWT authentication
Use the API endpoints (except those containing "/sa") with JWT authentication by providing a JWT token as the bearer token. This authentication method is recommended for client-side applications, PWAs, and mobile apps.

Authentication:
  • Authentication token (JWT) is returned by the /api/login endpoint and can be found in the response Authorization header and response body too
  • It is valid for 15 minutes
  • All API requests must include this token in the Authorization header as Bearer {token}
  • Initial refresh token is returned by the /api/login endpoint and can be found in the response "themanagement_refresh_token" cookie
Token Refresh:
  • Refresh token is returned by both /api/login and /api/token/refresh endpoints
  • It can be found in the response "themanagement_refresh_token" cookie
  • It is valid for 30 days
  • To obtain a new authentication token when it expires, send a POST request to /api/token/refresh with your refresh token cookie
  • Refreshed authentication token is returned in the response Authorization header and response body too
Important: Each protected API request must contain the Authorization header with the JWT token. When your token expires, use the refresh token to get a new one instead of requiring users to log in again.

Bodies and responses

Selective update
You can use partial updates by sending only the fields you want to update in the request body.
Preferred languade
You can set the preferred language in the Accept-Language header. The default language is English (en).
Not writable fields in body
Some endpoints are read-only and do not allow write operations. 
{
    "id": "primary_key",
    "created_by": "user_id",
    "created_at": "timestamp",
    "updated_by": "user_id",
    "updated_at": "timestamp"
}
And all other fields where the schema description indicate "read-only".
Field descriptions
The field descriptions are available in the schema definitions. It is available by /schema endpoint.
Timestamps
Timestamps inputs have to be any string that PHP strtotime() accepts is valid if you don't specify an optional parameter that matches a date format. But outputs represent the timestamp in multiple formats.
Extended responses
Some endpoints return extended responses with additional information. It is enabled by the "extended" query parameter "true". The default value is "false". Please note that the extended responses may slower the response time.
Formatted responses
Some endpoints return formatted response values next to the raw values. It is enabled by the "format" attribute in schema. Formatted values name is the same as the raw value name with the "_formatted" suffix.
Select2 fields
Select2 is a special type of select, where values come from database and you have to use "value" field from response to select option value and text too. If you see "user_add: true" in the schema, it means that you can add new values to the select2 field.