API Reference
Start typing to search…

Authentication

The Kini API supports JWT (JSON Web Token) authentication for legacy purposes. This mechanism provides a flexible way to handle authentication and eliminates the need for managing passwords directly.

🚧

JWT Token Authentication Deprecated

The authentication flow using username/password credentials to obtain JWT and refresh tokens is still supported but has been deprecated. We recommend migrating to the Bearer API Key authentication method for improved security and simplified integration.

Overview

To authenticate with the Kini API:

  1. Obtain an access token using your username and password from the /token/endpoint.
  2. Include the access token in the Authorization header for all API requests.
  3. Refresh the token as needed using the provided /token/refresh/ endpoint.

Endpoints

1. Obtain Token

Use the POST /token/ endpoint to generate an access and refresh token.

Required Request Body:

{
  "username": "your_username",
  "password": "your_password"
}

2. Request Headers

Once you have an access token, include it in the Authorization header of your API requests:

Authorization: Bearer <your_access_token>

3. Refresh Token

Use the POST /token/refresh/ endpoint to refresh an expired access token and obtain a new refresh token.

Required Request Body:

{
  "refresh": "your_refresh_token"
}

Example Response:

{
  "access": "new_access_token",
  "refresh": "new_refresh_token"
}

Token Validity

  • Access Tokens: Valid for 5 minutes. These are used to authenticate API requests.
  • Refresh Tokens: Valid for 24 hours. These are used to obtain new access and refresh tokens without requiring username and password authentication. Each refresh request generates a new refresh token, enhancing security through token rotation.

Best Practices

  1. Store Tokens Securely:
    Store tokens in encrypted storage and avoid exposing them in client-side code or log
  2. Use Token Rotation:
    Always replace the old refresh token with the new one returned from /token/refresh/ to minimize security risks.
  3. Handle Token Expiration:
    Monitor API responses for expiration errors (HTTP 401) and use the /token/refresh/ endpoint to refresh tokens before expiration.
  4. Reauthenticate When Necessary:
    If both the access and refresh tokens expire, reauthenticate using the /token/ endpoint with your username and password.