Authentication & API Access Guide

This guide walks you through how to authenticate and interact with our API, whether you're logging in through our session-based system or using access tokens for your applications.

Authentication Options

You can access the API using two authentication methods:

  1. Session-Based Authentication – Log in and authenticate via a session cookie.

  2. Access Tokens – Set up an access token for your app to authenticate requests without the need for login sessions.

Session-Based Authentication

Our session-based authentication uses cookies and includes Cross-Site Request Forgery (CSRF) protection to ensure secure interactions. When you log in, a session cookie is generated. This cookie is required to interact with any system API.

To protect your session-based interactions, we implement CSRF protection using the synchronizer token pattern:

  • CSRF Token Generation: After a successful login, a CSRF token is generated and included in the meta section of the response payload.

  • Token Requirement: For all subsequent API requests, the CSRF token must be included in the request header (named csrf_token by default).

  • Request Rejection: Any API request that does not include the CSRF token in the header will be rejected for security reasons.

Example with curl:

curl -X POST "http://example.com/api/v1/auth/local" \
     -H "Content-Type: application/json" \
     -d '{"login": "{{USER_EMAIL}}", "password": "{{USER_PASSWORD}}"}'

Example Response Payload:

{
    "data": {
        "id": 1,
        "email": "test@gmail.com",
        "username": "username",
        "firstName": "User",
        "middleName": null,
        "lastName": "User",
        "roleId": 1,
        "avatarUrl": null,
        "role": {
            "id": 1,
            "title": "role",
            "description": "role description",
            "createdAt": "2024-04-16T12:34:24.841Z",
            "updatedAt": "2024-04-16T12:34:24.841Z"
        },
        "createdAt": "2024-04-16T12:37:05.747Z",
        "updatedAt": "2024-04-16T12:37:05.747Z"
    },
    "meta": {
        "csrfToken": "9d9dQNBSFAnn4d68RpS5sA",
        "useragent": {
            "ip": "172.18.0.1",
            "browser": "PostmanRuntime",
            "version": "7.37",
            "os": "unknown",
            "platform": "unknown"
        }
    },
    "status": 1
}

The response includes user data and session-related metadata, including the CSRF token for use in subsequent API calls for enhanced security.

API Access for External Services

For external services or applications, you can use access tokens instead of session cookies. This method offers limited access but does not require CSRF protection.

  • Access Token Usage:

    • Limited Access: Access tokens grant access to the pricing data APIs but not to administrative endpoints such as user or permission management.

    • Token Provision: Include the access token in the request header (named access_token by default).

    • No CSRF Token Required: When using an access token, there is no need for a CSRF token.

By following this guide, you'll be able to securely and effectively interact with our API to retrieve comprehensive cryptocurrency market data.

Last updated