Skip to main content

Authentication

In the Lochting software, API access is secured with JSON Web Tokens (JWT). After authenticating with your API key, you receive an access token and a refresh token for subsequent requests.

Token lifetimes

The access token is a temporary credential for protected API calls. Access tokens remain valid for one day.

The refresh token is used to obtain a new access token when the current one expires. Refresh tokens remain valid for three days.

Obtain an access token

Send your API key to the Access Token endpoint:

curl -X POST https://api.lochting.com/public/v1/get-token \
-H "Content-Type: application/json" \
-d '{"apiKey": "your-api-key"}'

The response contains accessToken and refreshToken.

Use the access token

Add the access token to the Authorization header of each API call. You may pass the token directly or prefix it with Bearer:

curl https://api.lochting.com/public/v1/orders \
-H "Authorization: your-access-token"
curl https://api.lochting.com/public/v1/orders \
-H "Authorization: Bearer your-access-token"

Both forms are accepted.

Refresh an access token

Send your refresh token as plain text to the Refresh Token endpoint:

curl -X POST https://api.lochting.com/public/v1/refresh-token \
-H "Content-Type: text/plain" \
-d "your-refresh-token"

API key scopes

Access to the API is granted based on the scope of the API key. The following scopes are available:

  • orders
  • customers
  • reservations
  • shipments
  • stock
  • prices
  • webhooks

If your key does not include the required scope, the API responds with 401 Unauthorized.

Get an API key

To obtain an API key, please contact us.