Authentication
SoshiaConnect API uses two authentication methods depending on your use case.
Bearer Token Authentication
Bearer tokens are used for authenticated user endpoints. These tokens are obtained after successful user login.
How to Get a Bearer Token
- Call the
/auth/loginendpoint with your credentials - Receive an access token in the response
- Use this token in the
Authorizationheader for subsequent requests
Example Request
curl -X POST https://api.soshiaconnect.com/api/auth/login \
-H "Content-Type: multipart/form-data" \
-F "email=user@example.com" \
-F "password=yourpassword"
Example Response
{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"token_type": "Bearer",
"user": {
"id": 1,
"email": "user@example.com",
"full_name": "John Doe"
}
}
Using the Bearer Token
Include the token in the Authorization header:
curl https://api.soshiaconnect.com/api/auth/profile \
-H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
API Key Authentication
API keys are used for external API consumption and server-to-server communication.
How to Get an API Key
- Log in to your SoshiaConnect account
- Navigate to API Keys section
- Click "Generate New API Key"
- Copy and securely store your API key
Using the API Key
Include the API key in the request headers:
curl https://api.soshiaconnect.com/api/api-routes-data?id=123 \
-H "X-API-Key: your_api_key_here" \
-H "X-Username: your_username"
Security Best Practices
- Never share your credentials or API keys
- Use HTTPS only - Never send credentials over HTTP
- Rotate API keys regularly - Generate new keys periodically
- Store securely - Use environment variables or secret management systems
- Monitor usage - Check your API usage logs regularly for suspicious activity
- Revoke compromised keys immediately - If you suspect a key has been compromised, revoke it right away
Token Expiration
- Bearer tokens expire after a certain period (typically 24 hours)
- Use the
/auth/refreshendpoint to refresh expired tokens - API keys don't expire but can be deactivated manually
Error Responses
401 Unauthorized
{
"success": false,
"message": "Invalid or missing authentication"
}
403 Forbidden
{
"success": false,
"message": "Insufficient permissions"
}