Authentication

Pelcro uses JSON Web Token (JWT), an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted as it is digitally signed.

Once the user has registered or has logged in, each subsequent request to protected endpoints requires the JWT token containing the identity of the customer to be provided in the Authorization header, prefixed with the Bearer token.

This implementation makes it easy to implement Single Sign-On across different domains and properties.

Authorization header

Protected endpoints on Open API require the JWT token containing the identity of the customer to be provided in the Authorization header, prefixed with the Bearer token. Here's a sample of a properly formatted request containing the necessary Authorization header including the JWT token.

Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL3BlbGNyby1mdHJ1ZGVhdS5uZ3Jvay5pby9hcGkvdjEvc2RrL2N1c3RvbWVyIiwiaWF0IjoxNjk3MjMxNjUyLCJleHAiOjE3MDI0MTU2NTIsIm5iZiI6MTY5NzIzMTY1MiwianRpIjoiVnY2MkVHdlJtUHVjaUd1VCIsInN1YiI6IjIwNyIsInBydiI6IjIzYmQ1Yzg5NDlmNjAwYWRiMzllNzAxYzQwMDg3MmRiN2E1OTc2ZjcifQ.D5yr8e5o_QqnntWaMopBSYEV6vWf6eRdt3L9oorEDAA
User-Agent: PostmanRuntime/7.33.0
Accept: application/json
Cache-Control: no-cache
Host: www.pelcro.com
Accept-Encoding: gzip, deflate, br

Time to live

The length of time (in minutes) that token will be valid for, the default being 14 days.

Refresh time to live

The length of time (in minutes) that the token can be refreshed. I.E. The user can refresh their token within a 2-week window of the original token being created until they must re-authenticate is by default 14 days.

Handling invalid or expired tokens

If the provided token is invalid or has expired, a 401 Unauthorized status code will be returned. If this occurs, customer needs to login again in order to receive a fresh token to be used for all subsequent requests performed on protected endpoints.