The Auvo API uses a Bearer JWT valid for 30 minutes, issued by POST /login.
- Client calls
POST /loginwithapiKey+apiToken. - API replies with
result.accessTokenandresult.expiration(ISO-8601). - Client sends
Authorization: Bearer <accessToken>on every request. - Before
expiration, callPOST /loginagain to renew.
curl -X POST https://api.auvo.com.br/v2/login \
-H 'Content-Type: application/json' \
-d '{"apiKey":"...","apiToken":"..."}'- Store credentials in a secret manager (AWS Secrets Manager, Doppler, 1Password). Never in source code.
- One token per application: avoid sharing the same
accessTokenbetween different processes; each worker should renew its own. - Safety margin: renew the token 2 minutes early to cover clock skew.
- Rotation: call
POST /loginon 401 and retry the original request only once to avoid loops. - Avoid
GET /loginin production — credentials would leak in URL logs.
| Code | Cause | Action |
|---|---|---|
| 400 | Missing apiKey or apiToken | Check body/query. |
| 401 | Expired token | Renew via POST /login. |
| 403 | Rate limit exceeded | Wait 60s or back off. |
| 404 | Invalid credentials | Verify in Menu > Integration. |