Before invoking any service, you must first perform a login. The login process is detailed in the Login API documentation.

{
    "username": "YOUR.USERNAME",
    "companyId": "YOUR_COMPANY",
    "siteId": 501,
    "token": "your_token",
    "expires": "2024-06-06T13:15:59.267Z",
    "expiresInMS": 285000
}

Once you have successfully logged in, you have two alternatives for handling authentication in subsequent requests:

Save and Use the Bearer Token:

Upon successful login, a bearer token is returned in the response. You can save this token and include it in the Authorization header for subsequent requests.

Note: The bearer token expires. You can find the expiration date in the response JSON under the expires field or the time in milliseconds until expiration under the expiresInMS field.

Example header:

In case of an error (e.g., token expiration), you will receive a response with a status code 401 and the following body:

{
    "message": "Access Denied."
}

Use Cookies for Authentication:

If you prefer not to manage the bearer token manually, you can use the cookies returned by the login response in subsequent requests.

With this approach, you do not need to worry about the token expiration, as the server will handle keeping the cookies up to date.

Ensure your client is configured to forward cookies for subsequent requests to maintain the authenticated session.

TIP

Consider Using Cookies for Authentication: If feasible, opt for the approach of managing authentication through cookies. This eliminates the need to manually handle token expiration, as the server will automatically refresh cookies to maintain the authenticated session.

Automatic Session Maintenance: With cookie-based authentication, you can rely on the server to handle session expiration and renewal, reducing the overhead on your end. This is particularly beneficial for long-lived sessions or scenarios where the user might be inactive for extended periods.

Be Aware of Cookie Expiration: While cookies provide convenient session management, be mindful that they too can expire, especially if there's no activity for an extended period. If the user remains inactive for several hours, the cookies might expire, requiring re-authentication.

By leveraging cookie-based authentication, you streamline the authentication process and reduce the burden of managing tokens, enhancing the overall user experience. However, always keep an eye on session lifetimes to ensure uninterrupted access for your users.

Errors and Permissions

If the user making the request does not have the required permissions to invoke the service, the service will respond with an HTTP 403 Forbidden status code. The response body will include a JSON object with a message property indicating the missing permission. For example:

{
  "message": "Operation not allowed, missing permission 'product'"
}

In order to successfully use the API, the user must have the appropriate permissions granted to them. These permissions can be assigned by an administrator with the necessary privileges.

Base url endpoint

Env	Base Url
TEST	https://instore-test-be.clienteller.com/
PROD	https://instore-be.clienteller.com/

Authentication

Example Login Response#

Errors and Permissions#

Base url endpoint#

Example Login Response

Errors and Permissions

Base url endpoint