Authentication
All Pagamio VAS API endpoints (except the auth endpoints themselves) require a valid Bearer token in the Authorization header.
Obtain An Access Token
Endpoint: POST /auth/token
Request Body:
{
"username": "your_api_username",
"password": "your_api_password"
}
Successful Response:
{
"successful": true,
"data": {
"token": "eyJhbGciOiJIUzI1NiJ9...",
"refreshToken": "eyJhbGciOiJIUzI1NiJ9...",
"expiresIn": 1800
}
}
Token Lifetimes
| Token | Lifetime |
|---|---|
| Access token | 30 minutes |
| Refresh token | 7 days |
Use the access token in every request:
Authorization: Bearer <ACCESS_TOKEN>
Refresh An Access Token
When the access token is close to expiry (or you receive a 401), exchange your refresh token for a new pair.
Endpoint: POST /auth/token/refresh
Request Body:
{
"refreshToken": "<REFRESH_TOKEN>"
}
The response shape is identical to /auth/token.
Recommended Client Pattern
- On startup, call
/auth/tokento obtain an access + refresh token pair. - Cache both tokens in memory (do not persist to disk in plain text).
- Before each request, check the access token expiry. If less than 5 minutes remain, refresh.
- If any request returns
401, refresh once and retry the request. - If the refresh call also returns
401(refresh token has expired or been revoked), call/auth/tokenagain with the credentials.
See Bearer Token Management for code examples and Access & Permissions for what each role can do.
Public Endpoints (No Token Required)
POST /auth/tokenPOST /auth/token/refreshPOST /users/forgotpasswordPOST /users/resetpassword
Last updated: April 2026