Mobile App Integration

The Pelcro Open API provides RESTful endpoints for mobile app integration. Use authentication endpoints to obtain a JWT token, then include that token in protected API requests.

Base URL: https://www.pelcro.com/api/v1/sdk

Full API Reference: Open API Documentation

# Example: Login and make authenticated request

POST /api/v1/sdk/auth/login?site_id={site_id}
Content-Type: application/json

{"email": "[email protected]", "password": "password"}

# Response includes auth_token
# Store token securely in device keychain/keystore

# Use token for authenticated requests
POST /api/v1/sdk/customer?site_id={site_id}
Authorization: Bearer {auth_token}

Prerequisites

Before integrating, you need:

Requirement	Description
Site ID	Your unique Pelcro site identifier (from dashboard)
HTTPS	All API requests must use HTTPS
Content-Type	All requests should use `application/json`

Authentication Flow

Mobile App → Register/Login → Receive JWT Token → Store Securely → Use in Authorization Header

Authentication Endpoints

Endpoint	Method	Auth Required	Description
`/auth/register`	POST	No	Register new user and receive auth token
`/auth/login`	POST	No	Login existing user and receive auth token
`/auth/logout`	POST	Yes	Invalidate token and logout user
`/auth/idp/login`	POST	No	Social login (Apple, Google, Facebook)
`/auth/passwordless/request`	POST	No	Request passwordless login link via email
`/auth/passwordless/login`	POST	No	Login using passwordless token

Site & Configuration

Endpoint	Method	Auth Required	Description
`/site`	GET	No	Get site configuration
`/plan`	POST	No	Get available subscription plans
`/plan/ip-authorization`	GET	No	Check IP-based plan authorization
`/plan/email-authorization`	GET	No	Check email-based plan authorization
`/geo/country`	GET	No	Get user's country by IP
`/location`	GET	No	Get user's location information

Authentication Pattern

All protected endpoints follow a consistent authentication pattern:

Register a New User

POST /api/v1/sdk/auth/register?site_id={site_id}
Content-Type: application/json

{
  "email": "[email protected]",
  "password": "securePassword123",
  "first_name": "John",
  "last_name": "Doe"
}

Request Body Fields:

Field	Type	Required	Description
`email`	string	Yes	User's email address (must be unique)
`password`	string	Yes	Password (minimum 6 characters)
`first_name`	string	No	User's first name
`last_name`	string	No	User's last name
`display_name`	string	No	Display name (max 100 characters)
`username`	string	No	Unique username (alphanumeric, max 100 characters)
`phone`	string	No	Phone number
`language`	string	No	2-letter language code (e.g., "en", "fr")
`metadata`	object	No	Custom key-value pairs

Success Response (200 OK):

{
  "status": "success",
  "data": {
    "id": 12345,
    "email": "[email protected]",
    "first_name": "John",
    "last_name": "Doe",
    "auth_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...",
    "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...",
    "subscriptions": null,
    "addresses": null
  }
}

Login an Existing User

POST /api/v1/sdk/auth/login?site_id={site_id}
Content-Type: application/json

{
  "email": "[email protected]",
  "password": "securePassword123"
}

Request Body Fields:

Field	Type	Required	Description
`email`	string	Yes*	User's email (*required if username not provided)
`username`	string	Yes*	Username (*required if email not provided)
`password`	string	Yes	User's password

Note: Provide either email OR username, not both. After 10 failed attempts, the account is locked for 5 minutes (HTTP 429).

Success Response (200 OK):

{
  "status": "success",
  "data": {
    "id": 12345,
    "email": "[email protected]",
    "first_name": "John",
    "last_name": "Doe",
    "auth_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...",
    "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...",
    "subscriptions": [...],
    "addresses": [...]
  }
}

Store Token Securely

After successful registration or login, store the auth_token securely on the device:

iOS: Use Keychain Services

Make Authenticated Requests

Include the token in the Authorization header for all protected endpoints:

POST /api/v1/sdk/customer?site_id={site_id}
Authorization: Bearer {auth_token}
Content-Type: application/json

Example: Get Customer Profile

POST /api/v1/sdk/customer?site_id={site_id}
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...
Content-Type: application/json

Example: Update Customer Profile

PUT /api/v1/sdk/customer?site_id={site_id}
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...
Content-Type: application/json

{
  "first_name": "Jane",
  "last_name": "Smith"
}

Logout

POST /api/v1/sdk/auth/logout?site_id={site_id}
Authorization: Bearer {auth_token}
Content-Type: application/json

Success Response (200 OK):

{
  "status": "success",
  "data": {
    "id": 12345,
    "email": "[email protected]"
  }
}

What Happens:

Token is invalidated on server (blacklisted)
Token cannot be used for subsequent requests
Clear token from device storage
User must login again to get new token

Token Management

Token Properties

Property	Value
Type	JWT (JSON Web Token)
TTL	60 days default; configurable per site via `auth_token_ttl_days` (range 1–365)
Storage	Secure device storage (Keychain/Keystore)
Header	`Authorization: Bearer {token}`

Response Format

Success Response

All successful responses follow this structure:

{
  "status": "success",
  "data": {
    // Response data here
  }
}

Error Response

All error responses follow this structure:

{
  "error": {
    "status": 400,
    "message": "Error description here"
  }
}

Error Handling

HTTP Status Codes

Code	Meaning	Action
200	Success	Process response data
400	Bad Request	Check request parameters and format
401	Unauthorized	Token invalid/expired - prompt user to login
403	Forbidden	User lacks permission for this resource
404	Not Found	Invalid credentials or resource doesn't exist
422	Validation Error	Fix validation issues shown in error message
429	Too Many Requests	Rate limited or account locked - wait and retry
500	Server Error	Retry request later or contact support

Error Response Examples

Invalid Credentials (404):

{
  "error": {
    "status": 404,
    "message": "Invalid credentials! Please try again."
  }
}

Validation Error (422):

{
  "error": {
    "status": 422,
    "message": "The email has already been taken."
  }
}

Rate Limited (429):

{
  "error": {
    "status": 429,
    "message": "Too many login attempts. Please try again in 5 minutes."
  }
}

Token Expired (401):

{
  "error": {
    "status": 401,
    "message": "Token has expired."
  }
}

Security Best Practices

Store tokens securely - Use platform secure storage (iOS Keychain, Android Keystore/EncryptedSharedPreferences)
Never store tokens in plain text - Avoid SharedPreferences, UserDefaults, or plain files
Use HTTPS only - All API communication must be encrypted
Validate SSL certificates - Enable certificate validation in your HTTP client
Handle token expiration - Check expiration before requests and refresh when needed
Clear tokens on logout - Remove from secure storage completely
Never log tokens - Avoid printing auth tokens in debug/console logs
Implement certificate pinning - Optional but recommended for additional security

Complete API Reference

This guide covers the most common endpoints for mobile app integration. For the complete list of available endpoints, including advanced features like campaigns, memberships, exports, webhooks, and more, refer to the Open API Documentation.

Quick Start Checklist

Step	Action
1	Get your `site_id` from Pelcro dashboard
2	Implement register/login endpoints to obtain JWT token
3	Store token securely in device secure storage (Keychain/Keystore)
4	Add `Authorization: Bearer {token}` header for all protected requests
5	Handle token expiration and implement re-authentication flow
6	Implement logout endpoint to invalidate token server-side
7	Test authentication flow and error handling

Additional Resources

Open API Introduction

For support, contact: [email protected]