Authentication

Your customers must be authenticated to access buy from your store.

Customer authentication

Customers are authenticated using:

  • a login (email address)

  • a password

    Passwords must have 8 characters minimum and contain at least:

    • one uppercase letter [A-Z]
    • one lowercase letter [a-z]
    • one numeric character [0-9]
    • one special character [~`!@#$%^&*()-_+={}[]|;:"<>,./?]

Use the AUTH-100 route to authenticate as a customer.

Authorization

Each customer user is associated to one or several profiles. Each profile has different authorization levels on the available API routes. For each route, the customer user can have the following rights:

  • read-only
  • read and write
  • none

Session

DJUST API connections use the OAuth2 protocol. During the authentication process, two tokens are returned.

Access Token

The access token is used to allow applications to access an API, and is transmitted as Bearer credential in an HTTP Authorization header.

-H 'Authorization: "Bearer {{accessToken}}"'

The access token is only valid for 10 minutes to ensure API calls are secure.

See AUTH-101 for more information on usage.

Refresh Token

As the access token has a limited validity, use refresh token to request a new access token.

The refresh token is valid for two hours.

See AUTH-102 for more information on usage.

Log out

Logging out means revoking both refresh token and access token.

See AUTH-103 for more information on usage.

Reset password

The password can be reset if forgotten.

  1. Request a passwork reset using PWD-101 (the user's email address is transmitted during the API call). For confidentiality purposes, the email address existence is not verified (even if it does not exist in DJUST, the API returns a success).

  2. DJUST sends an email containing a link to a reset password page. If the email address does not exist in DJUST, no email is sent.

    The link is only valid for 24 hours.

  3. Input the new password on the reset page. The PWD-102 API is called.

    If the link is still valid, the password is updated and can be used to authenticate back on the (what) page.

    If the link expired, a new request must be made.