Authentication

Most Livepin endpoints require a bearer token. The Postman collection includes three common auth flows: user login, login with API key, and OAuth token generation.

Bearer token header

All secured requests should include:

Authorization: Bearer <JWT_TOKEN>

User login

POST

/api/auth/local

curl -X POST "$LIVEPIN_API_BASE_URL/api/auth/local" \
  -H "Content-Type: application/json" \
  -d '{
    "identifier": "your-email-or-username",
    "password": "your-password"
  }'

Useful for server-to-server workflows where user credentials are not used.

API key login

POST

/api/user/login-with-api-key

curl -X POST "$LIVEPIN_API_BASE_URL/api/user/login-with-api-key" \
  -H "Content-Type: application/json" \
  -d '{
    "api_key": "lp_live_..."
  }'

Flow 3: OAuth token generation

For integrations that already operate on OAuth clients.

Generate OAuth token

curl -X POST "$LIVEPIN_API_BASE_URL/api/oauth/generate-token" \
  -H "Content-Type: application/json" \
  -d '{
    "client_id": "...",
    "client_secret": "...",
    "grant_type": "client_credentials"
  }'

POST /api/api-accesses to generate API keys
POST /api/user/send-otp and POST /api/user/verify-otp for OTP login
POST /api/user/logout to invalidate user sessions
POST /api/user/forgot-password, POST /api/user/reset-password, POST /api/user/change-password for credential lifecycle

Security recommendations

Rotate API keys periodically.
Keep JWT and API keys in secret managers, not source code.
Use separate credentials per environment (dev/stage/prod).
Revoke and regenerate tokens immediately if compromised.

Back to quickstart