Authentication API
The Authentication API allows you to obtain the necessary tokens to access the Nilo platform. This endpoint is essential for starting to use any other API service.
Understanding Authentication
Authentication in Nilo uses a two-factor approach to ensure secure access to the platform:
| Credential | Description |
|---|---|
| API Key | Static key passed in x-api-key header. Unique per environment. |
| Access Token | Dynamic JWT token passed in Authorization header. Has limited lifespan. |
Important Considerations
- Token Lifecycle: Access tokens expire after a set time and need to be renewed
- Security: Never share your API keys or client credentials
- Permissions: Different operations require different permission scopes
- Rate Limiting: Authentication requests may be rate-limited
- Environment Separation: Different credentials are required for each environment
Authentication Flow
- Obtain your API key, client ID, and client secret
- Make a login request to obtain an access token
- Include both the API key and access token in subsequent requests
- Renew the access token before it expires
Get Token
POST
/loginThis endpoint is used to obtain an authentication token that will allow you to access the API. The token obtained must be included in the Authorization header of subsequent requests.
Request Body Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| clientId | string | Yes | Client ID |
| clientSecret | string | Yes | Secret key |
Request Body Example
{
"clientId": "tu-client-id",
"clientSecret": "tu-clave-secreta"
}
Response Codes
| Code | Description |
|---|---|
| 200 | Operation successful - Token generated correctly |
| 401 | Unauthorized - Invalid credentials |
Example Usage
- Javascript
- Python
const headers = {
"x-api-key": "YOUR_API_KEY",
"Content-Type": "application/json",
};
const data = {
clientId: "tu-client-id",
clientSecret: "tu-clave-secreta",
};
fetch("https://tm0cs5kjs6.execute-api.us-east-1.amazonaws.com/dev/login", {
method: "POST",
headers: headers,
body: JSON.stringify(data),
})
.then((response) => response.json())
.then((result) => console.log(result))
.catch((error) => console.log("error", error));
import requests
url = "https://tm0cs5kjs6.execute-api.us-east-1.amazonaws.com/dev/login"
headers = {
'x-api-key': 'YOUR_API_KEY',
'Content-Type': 'application/json'
}
data = {
"clientId": "tu-client-id",
"clientSecret": "tu-clave-secreta"
}
response = requests.post(url, headers=headers, json=data)
print(response.text)
Try the Endpoint
Test the authentication endpoint
Response:
Success Response Example
{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"token_type": "Bearer",
"expires_in": 3600
}
Error Response Example
{
"code": 401,
"message": "Unauthorized"
}
Best Practices
-
Token Management
- Store tokens securely
- Implement token refresh before expiration
- Never store tokens in client-side code
- Use environment variables for credentials
-
Error Handling
- Implement proper error handling for authentication failures
- Add retry logic with exponential backoff
- Monitor token expiration
- Log authentication errors for debugging
-
Security Measures
- Use HTTPS for all requests
- Rotate credentials periodically
- Implement request signing when required
- Monitor for unusual authentication patterns
-
Performance Optimization
- Cache tokens until near expiration
- Implement token refresh in background processes
- Use connection pooling for authentication requests
- Batch operations to minimize authentication overhead
Common Use Cases
-
Initial Setup
- Generate API credentials
- Implement authentication flow
- Set up secure credential storage
- Configure environment-specific settings
-
Production Deployment
- Migrate from sandbox to production credentials
- Implement proper security measures
- Set up monitoring and alerting
- Configure backup authentication methods
-
Multi-Environment Management
- Manage different credentials per environment
- Implement environment-specific configurations
- Set up credential rotation schedules
- Configure failover mechanisms
-
Troubleshooting
- Monitor authentication failures
- Debug token expiration issues
- Track rate limiting problems
- Analyze security incidents
Response Types
Success Response
{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"token_type": "Bearer",
"expires_in": 3600
}
Error Response Examples
Invalid Credentials
{
"code": 401,
"message": "Invalid client credentials"
}
Rate Limited
{
"code": 429,
"message": "Too many requests"
}
Expired Token
{
"code": 401,
"message": "Unauthorized"
}
Security Recommendations
-
Credential Storage
- Use secure credential vaults
- Encrypt sensitive data at rest
- Implement access controls
- Regular security audits
-
Request Security
- Validate SSL certificates
- Implement request signing
- Use secure communication channels
- Monitor for security breaches
-
Access Control
- Implement role-based access
- Regular permission audits
- Monitor unusual activity
- Implement IP whitelisting
-
Compliance
- Follow security best practices
- Implement audit logging
- Regular security reviews
- Maintain compliance documentation
Using the Token
The token obtained must be included in all subsequent requests as an authorization header:
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Security
All API endpoints require two types of authentication:
- API Key in header:
x-api-key - Authorization token in header:
Authorization
Token Expiration
The token has a limited lifespan, specified in the expiresIn field of the response (in seconds). You will need to request a new token once the current one has expired.