# Authentication

The Auvo API uses a **Bearer JWT** valid for 30 minutes, issued by `POST /login`.

## Basic flow

1. Client calls `POST /login` with `apiKey` + `apiToken`.
2. API replies with `result.accessToken` and `result.expiration` (ISO-8601).
3. Client sends `Authorization: Bearer <accessToken>` on every request.
4. Before `expiration`, call `POST /login` again to renew.


## Example


```bash
curl -X POST https://api.auvo.com.br/v2/login \
  -H 'Content-Type: application/json' \
  -d '{"apiKey":"...","apiToken":"..."}'
```

## Best practices

- **Store credentials in a secret manager** (AWS Secrets Manager, Doppler,
1Password). Never in source code.
- **One token per application**: avoid sharing the same `accessToken` between
different processes; each worker should renew its own.
- **Safety margin**: renew the token 2 minutes early to cover clock skew.
- **Rotation**: call `POST /login` on 401 and retry the original request only
once to avoid loops.
- **Avoid `GET /login`** in production — credentials would leak in URL logs.


## Common errors

| Code | Cause | Action |
|  --- | --- | --- |
| 400 | Missing `apiKey` or `apiToken` | Check body/query. |
| 401 | Expired token | Renew via `POST /login`. |
| 403 | Rate limit exceeded | Wait 60s or back off. |
| 404 | Invalid credentials | Verify in **Menu > Integration**. |