Authentication

Client Credentials flow

Ideal for server-to-server integrations where no user interaction is required.

1. Create a sandbox app

Log in to the developer portal, navigate to Apps, and click New app. Copy your client_id and client_secret — the secret is shown only once.

2. Request an access token

POST https://api.giftronaut.com/oauth2/token
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET
&scope=orders.read+orders.write

3. Token response

{
  "access_token": "eyJhbGci...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "orders.read orders.write"
}

4. Use the token

GET /api/v1/orders
Authorization: Bearer eyJhbGci...

Authorization Code + PKCE flow

Use this flow when your app acts on behalf of a logged-in Giftronaut portal user.

1. Redirect user to /oauth2/authorize with code_challenge (PKCE)
2. User authenticates via the portal login page
3. Authorization server redirects back to your redirect_uri with code
4. Exchange code + code_verifier for tokens at /oauth2/token

Try It — testing in the browser

The API Reference has a built-in Try It panel that lets you send live API requests directly from your browser — no curl or Postman needed.

How to set up authentication

1. Sign in to the developer portal.
2. Navigate to any API Reference page (e.g. Orders).
3. Click the Set up auth button in the top navigation bar.
4. Select an Environment (Sandbox or Production) and a Credential.
5. Click Generate Token — a short-lived JWT is minted server-side and stored in your browser session.
6. Select any endpoint on the left. The Try It panel shows the resolved URL and an active auth state.
7. Click Send request to execute the call and see the live response.

Token expiry & rotation

Tokens cannot be refreshed via refresh_token in the Client Credentials flow — simply request a new token when it expires.