# Authentication & Authorization

## Authentication

In order to login using the API, you must submit your API credentials supplied to you by Ibanera, in addition to a one time password (`otp`). The login endpoint authenticates a user by validating their credentials and TOTP code, providing an access token for subsequent API requests.

[Refer to our guide on Generating a Time-Based One-Time Password (TOTP) with a Shared Secret.](https://customer-api-docs.ibanera.com/getting-started/authentication-and-authorization/generating-a-time-based-one-time-password-totp-with-a-shared-secret)

* **Endpoint:** `/api/v1/public/auth/login`
* **Method:** `POST`

{% openapi src="<https://1042261367-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxYGT6bxbvntyOdsHjmeN%2Fuploads%2Fgit-blob-6face27c0a15b254555d05b77ca4cd8e06609f27%2FCustomer%20API%20-%20Public.json?alt=media>" path="/api/v1/public/auth/login" method="post" expanded="true" %}
[Customer API - Public.json](https://1042261367-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxYGT6bxbvntyOdsHjmeN%2Fuploads%2Fgit-blob-6face27c0a15b254555d05b77ca4cd8e06609f27%2FCustomer%20API%20-%20Public.json?alt=media)
{% endopenapi %}

**Request Body Parameters:**

* `username` (String): The username of the user attempting to log in—required.
* `password` (String): The password associated with the username—required.
* `otp` (String): A time-based one-time password (TOTP) generated from the user's shared secret—required.

**Request Example:**

```json
{
  "username": "exampleUser",
  "password": "examplePass",
  "otp": "123456"
}
```

**Response Body Parameters:**

* `id` (Integer): A numerical identifier of the response, often representing the authenticated user’s ID.
* `details` (Object):
  * `accessToken` (String): The bearer token provided upon successful authentication.
  * `expiresIn` (Integer): The number of seconds until the token expires.

**Success Response Example:**

```json
{
  "id": 0,
  "details": {
    "accessToken": "eyJhbGciOiJIUzI1Ni...",
    "expiresIn": 3600
  },
  "status": "1",
  "errors": []
}
```

***

## Authorization

API requests are authorized if the headers contains both the `Authorization` and `otp` fields.

<table><thead><tr><th>Header Key</th><th width="272">Expected Value</th><th>Example</th></tr></thead><tbody><tr><td>Authorization</td><td>Bearer {{accessToken}}</td><td>Bearer eyJhbGciOiJIUzI1Ni...</td></tr><tr><td>otp</td><td><p>TOTP using:</p><ul><li>SHA-1 hash</li><li>6 digit output</li><li>30 second interval<br>based on the user’s shared secret.</li></ul></td><td>679008</td></tr></tbody></table>