Talk to an Expert
Authentication - Grasshopper Labs API
DocsAuthentication
Security

Authentication

Bearer token authentication. Get a token, send it on every request, refresh when needed.

How it works

Grasshopper uses token-based auth. You exchange your API user credentials for a short-lived bearer token, then send that token on every subsequent request via the Authorization header.

Credentials are tied to your shipper account on a specific licensee

Your API user is provisioned by the licensee you integrate with and scoped to a specific shipper on their instance. Tokens are not portable across licensees. Tokens cannot access data outside the shipper scope.

Request a token

POST /api/token/

Body parameters

email
string Required
The API user's email address.
password
string Required
The API user's password. Never log or store in plaintext.
curl -X POST https://{licensee-url}/api/token/ \
  -H "Content-Type: application/json" \
  -d '{
    "email": "api@your-company.com",
    "password": "your-api-password"
  }'
{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "refresh_token": "rfsh_abc123...",
  "expires_in": 3600,
  "token_type": "Bearer"
}
Try it out
Response will appear here

Use the token

Include the token in the Authorization header on every subsequent request:

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Content-Type: application/json

Refresh a token

Tokens expire after the duration shown in expires_in (seconds). Use the refresh token to get a new access token without re-prompting for credentials.

POST /api/token/refresh/
refresh_token
string Required
The refresh token returned by /api/token/.

Revoke a token

If a token is leaked or no longer needed, revoke it. Subsequent requests with that token will return 401 Unauthorized.

POST /api/token/revoke/

Security best practices

  • Never commit credentials — store API user passwords in a secret manager (AWS Secrets Manager, GCP Secret Manager, HashiCorp Vault)
  • Cache the token — don't request a new one for every API call. Reuse until close to expiration.
  • Refresh proactively — refresh ~60s before expiration to avoid in-flight failures
  • Use a server-side proxy — never expose API credentials to browser JavaScript
  • Rotate periodically — request a new password from your licensee every 90 days

Common errors

StatusMeaningResolution
401Invalid credentialsCheck email and password. Contact your licensee if locked out.
401Token expiredUse the refresh_token to get a new access token.
403Token valid but lacks scopeRequest additional scopes from your licensee.

See Errors for the full error reference.

← Previous
Getting started