Skip to content
Last updated

Authentication

The Auvo API uses a Bearer JWT valid for 30 minutes, issued by POST /login.

Basic flow

  1. Client calls POST /login with apiKey + apiToken.
  2. API replies with result.accessToken and result.expiration (ISO-8601).
  3. Client sends Authorization: Bearer <accessToken> on every request.
  4. Before expiration, call POST /login again to renew.

Example

curl -X POST https://api.auvo.com.br/v2/login \
  -H 'Content-Type: application/json' \
  -d '{"apiKey":"...","apiToken":"..."}'

Best practices

  • Store credentials in a secret manager (AWS Secrets Manager, Doppler, 1Password). Never in source code.
  • One token per application: avoid sharing the same accessToken between different processes; each worker should renew its own.
  • Safety margin: renew the token 2 minutes early to cover clock skew.
  • Rotation: call POST /login on 401 and retry the original request only once to avoid loops.
  • Avoid GET /login in production — credentials would leak in URL logs.

Common errors

CodeCauseAction
400Missing apiKey or apiTokenCheck body/query.
401Expired tokenRenew via POST /login.
403Rate limit exceededWait 60s or back off.
404Invalid credentialsVerify in Menu > Integration.