Authenticate

In order to make requests to the API you need to send an access token that is used to authenticate the request.

Request an access token

Before using the API you need an API key and secret. You can create these in the admin portal. Make sure you store these and make them available to your code in a secure way, through an environment variable or other secure mechanism. Do not commit them into a source control repository.

To use the API, your request must include a valid Access Token. To request an access token, make a Get Access Token request with the API key and secret in a JSON request body:

POST https://api.aluma.io/oauth/token

{
  "client_id": "<API_KEY>",
  "client_secret": "<API_SECRET>"
}

A successful request will return a 200 OKresponse containing the access token and the number of seconds from now until its expiry time:

{
  "access_token": "<MY_ACCESS_TOKEN>",
  "expires_in": 86400
}

Your code should should make a request for a new access token a minute or two before each token's expiry.

Use the token to authenticate requests

With every subsequent request to the API specify an Authorization header that includes the access token. The format for the header value is Bearer <ACCESS_TOKEN>. If your header is missing or badly formatted, the access token is invalid, or your access token has expired you will receive a 401 Unauthorized response from the API.