Authentication

The Marketiger API uses Bearer token authentication (JWT) to secure API endpoints. This guide explains how to authenticate and manage your access tokens.

Overview

All API endpoints (except the login endpoint) require authentication using a Bearer token in the Authorization header. Tokens are obtained through the login endpoint and can be refreshed using a refresh token.

Authentication Flow

1. Login - Send credentials to /Auth/Login to receive an access token and refresh token
2. Use Access Token - Include the access token in the Authorization header for all API requests
3. Refresh Token - When the access token expires, use the refresh token to obtain a new access token

Login Endpoint

Authenticate with your email and password to receive tokens.

Endpoint

POST https://devapi.marketiger3d.com/v2/Auth/Login

Request Body

{
  "email": "your-email@example.com",
  "password": "your-password"
}

Example Request

curl -X POST "https://devapi.marketiger3d.com/v2/Auth/Login" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "your-email@example.com",
    "password": "your-password"
  }'

const response = await fetch('https://devapi.marketiger3d.com/v2/Auth/Login', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({
    email: 'your-email@example.com',
    password: 'your-password'
  })
});

const data = await response.json();
const accessToken = data.data.accessToken;
const refreshToken = data.data.refreshToken;

var client = new HttpClient();
var request = new HttpRequestMessage(HttpMethod.Post, "https://devapi.marketiger3d.com/v2/Auth/Login");
request.Content = new StringContent(JsonSerializer.Serialize(new {
    email = "your-email@example.com",
    password = "your-password"
}), Encoding.UTF8, "application/json");

var response = await client.SendAsync(request);
var responseContent = await response.Content.ReadAsStringAsync();
var loginResponse = JsonSerializer.Deserialize<LoginResponse>(responseContent);
var accessToken = loginResponse.Data.AccessToken;
var refreshToken = loginResponse.Data.RefreshToken;

Success Response (200 OK)

{
  "success": true,
  "data": {
    "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "refreshToken": "refresh_token_string_here"
  }
}

Error Response (400 Bad Request)

{
  "success": false,
  "error": {
    "type": "AUTHENTICATION",
    "message": "Username or Password are incorrect."
  }
}

Using the Access Token

Include the access token in the Authorization header of all authenticated requests:

Authorization: Bearer <your_access_token>

Example: Authenticated Request

curl -X GET "https://devapi.marketiger3d.com/v2/Project/GetProjects" \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
  -H "Content-Type: application/json"

const response = await fetch('https://devapi.marketiger3d.com/v2/Project/GetProjects', {
  method: 'GET',
  headers: {
    'Authorization': `Bearer ${accessToken}`,
    'Content-Type': 'application/json'
  }
});

const data = await response.json();

var client = new HttpClient();
client.DefaultRequestHeaders.Authorization = 
    new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", accessToken);

var response = await client.GetAsync("https://devapi.marketiger3d.com/v2/Project/GetProjects");
var content = await response.Content.ReadAsStringAsync();

Refresh Token

When your access token expires, use the refresh token to obtain a new access token without requiring the user to log in again.

Endpoint

POST https://devapi.marketiger3d.com/v2/Auth/RefreshToken

Request Body

{
  "refreshToken": "your_refresh_token_here"
}

Example Request

curl -X POST "https://devapi.marketiger3d.com/v2/Auth/RefreshToken" \
  -H "Content-Type: application/json" \
  -d '{
    "refreshToken": "your_refresh_token_here"
  }'

const response = await fetch('https://devapi.marketiger3d.com/v2/Auth/RefreshToken', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({
    refreshToken: refreshToken
  })
});

const data = await response.json();
const newAccessToken = data.data.accessToken;

Success Response (200 OK)

{
  "success": true,
  "data": {
    "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "refreshToken": "new_refresh_token_here"
  }
}

Token Expiration

• Access Tokens: Expire after a set period (typically 1 hour). When expired, you'll receive a 401 Unauthorized response.
• Refresh Tokens: Expire after 12 hours. Store them securely and use them to obtain new access tokens.

Handling Token Expiration

Implement automatic token refresh in your application:

async function makeAuthenticatedRequest(url, options = {}) {
  let response = await fetch(url, {
    ...options,
    headers: {
      ...options.headers,
      'Authorization': `Bearer ${accessToken}`
    }
  });

  // If token expired, refresh and retry
  if (response.status === 401) {
    const refreshResponse = await fetch('https://devapi.marketiger3d.com/v2/Auth/RefreshToken', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({ refreshToken })
    });
    
    const refreshData = await refreshResponse.json();
    accessToken = refreshData.data.accessToken;
    
    // Retry original request with new token
    response = await fetch(url, {
      ...options,
      headers: {
        ...options.headers,
        'Authorization': `Bearer ${accessToken}`
      }
    });
  }

  return response;
}

Security Best Practices

Token Storage

• Never commit tokens to version control - Use environment variables or secure configuration files
• Store tokens securely - Use secure storage mechanisms appropriate for your platform
• Rotate tokens regularly - Implement token refresh logic in production applications

HTTPS Only

• Always use HTTPS - Never make API requests over HTTP
• Verify SSL certificates - Ensure your HTTP client validates SSL certificates

Token Handling

• Don't log tokens - Avoid logging access tokens or refresh tokens
• Don't share tokens - Each application instance should have its own tokens
• Implement token refresh - Automatically refresh tokens before they expire

Error Responses

401 Unauthorized

Returned when:

• No Authorization header is provided
• The access token is invalid or expired
• The token format is incorrect

{
  "success": false,
  "error": {
    "type": "AUTHENTICATION",
    "message": "Authentication failed"
  }
}

403 Forbidden

Returned when:

• The user doesn't have permission to access the requested resource
• The user doesn't have access to the specified project

{
  "success": false,
  "error": {
    "type": "NO_PERMISSION",
    "message": "User has no permission for this project"
  }
}

Project Access

While you can use the Marketiger API with just an account, to upload models and place orders, you must have a project assigned to your account. Projects are created and assigned by Marketiger to your Marketiger Hub account. You cannot create projects yourself - they must be assigned to your account by Marketiger.

Once Marketiger has assigned a project to your account, you can use it with the API to upload models and create orders. To check if you have access to a project:

curl -X GET "https://devapi.marketiger3d.com/v2/Project/HasAccesToProject?projectId=YOUR_PROJECT_ID" \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

If you don't have access to a project, contact Marketiger to have a project assigned to your account. For more information about projects, see the Projects documentation page.

Next Steps

• Learn about Requests & Conventions for API standards
• Review Error Handling for error management
• Explore the API Reference for endpoint details