Overview The authentication system provides secure user login with optional OTP (One-Time Password) for enhanced security. After successful authentication, users receive an access token valid for 6 hours that authorizes all authenticated API calls.
All authentication endpoints require the x-client-key header. For US environment routing, include x-us-env: true header or region=us query parameter.
Authentication Methods The platform supports multiple authentication patterns:
Standard Login Username/password authentication for direct API access
OTP-Enhanced Login Multi-factor authentication with SMS verification codes
OAuth 2.0 Delegated authorization for third-party applications
Session Management Token-based sessions with 6-hour expiration
Login Flow Diagram Standard Login Direct authentication using email and password credentials.
Endpoint API Reference: POST /v1/auth/loginRequest cURL
JavaScript/TypeScript
Python
curl -X POST https://dev.api.baanx.com/v1/auth/login \ -H "x-client-key: YOUR_CLIENT_KEY" \ -H "Content-Type: application/json" \ -d '{ "email": "[email protected] ", "password": "SecurePassword123!" }'
Response (Standard Login) When OTP is not required:
{ "accessToken" : "US_b6b9168a-bb56-4c6a-9c0d-4650ea74f5f9" , "userId" : "b6b9168c-bb56-4c6a-9c0d-4650ea74f5f9" , "isOtpRequired" : false , "phoneNumber" : null , "phase" : null , "verificationState" : "VERIFIED" , "isLinked" : false } Response (OTP Required) When OTP is required:
{ "accessToken" : "US_b6b9168a-bb56-4c6a-9c0d-4650ea74f5f9" , "userId" : "b6b9168c-bb56-4c6a-9c0d-4650ea74f5f9" , "isOtpRequired" : true , "phoneNumber" : "+445*****225" , "phase" : null , "verificationState" : "VERIFIED" , "isLinked" : false } When isOtpRequired: true, you must complete the OTP flow before the access token becomes valid for API calls. See the OTP Authentication section below. Response Fields Each field in the login response provides critical information about the user’s authentication state and onboarding progress:
Field Type Description accessTokenstring | null Bearer token for authenticated API calls (valid 6 hours). null when user is onboarding or OTP is required userIdstring Unique user identifier in UUID format. Always returned isOtpRequiredboolean Indicates if 2FA is enabled. When true, call /v1/auth/login/otp to send OTP, then retry login with otpCode phoneNumberstring | null Masked phone number (e.g., “+445*****225”). Only returned when isOtpRequired is true phasestring | null User’s onboarding progress. Non-null values (ACCOUNT, PHONE_NUMBER, PERSONAL_INFORMATION, PHYSICAL_ADDRESS, MAILING_ADDRESS) mean registration is incomplete. null when onboarding is complete verificationStatestring | null KYC verification status: UNVERIFIED (0), PENDING (1), VERIFIED (3), REJECTED (2) isLinkedboolean Indicates if your OAuth client already has permission to access this user’s account
Detailed Field Explanations
phase (string | null)
Indicates where the user is in the onboarding process
If null : User has completed all registration steps
If non-null : User needs to complete registration at the indicated phase
ACCOUNT: Basic account creation stepPHONE_NUMBER: Phone verification stepPERSONAL_INFORMATION: Personal details collectionPHYSICAL_ADDRESS: Physical address informationMAILING_ADDRESS: Mailing address information
userId (string)
User’s unique identifier in UUID format
Consistent across all sessions and API calls
Use this to track user sessions and for OTP requests
isOtpRequired (boolean)
When true: User has 2FA enabled and must verify with OTP code
When false: Login is complete, use the accessToken for API calls
OTP flow: Call /v1/auth/login/otp → User receives SMS → Retry /login with otpCode
phoneNumber (string | null)
Only present when isOtpRequired is true
Masked for security (e.g., “+445*****225”)
Shows where the OTP code will be sent
Display this to users so they know which device to check
accessToken (string | null)
Bearer token for Authorization header: Authorization: Bearer {token}
Valid for 6 hours (21,600 seconds)
null in these scenarios:
User is still onboarding (phase is non-null)
OTP verification is required (isOtpRequired is true)
Initial login step before OTP completion
non-null when authentication is complete and user can access API verificationState (string | null)
Maps to KYC verification status:
UNVERIFIED (0): User has not yet been verifiedPENDING (1): Verification is in progressVERIFIED (3): User is successfully verifiedREJECTED (2): Verification was rejected
Check this before allowing access to features requiring verified users
isLinked (boolean)
Indicates OAuth connection status between your client and this user
false: Your OAuth client needs to complete OAuth flow for long-lived accesstrue: Your client already has OAuth tokens and can refresh themImportant for determining whether to initiate OAuth flow after login
Edge Cases and Response Scenarios Understanding different response scenarios helps you handle all authentication states correctly:
User Still Onboarding
OTP Required
Successful Login
OAuth Linking Status
When a user hasn’t completed registration, the response indicates their current phase: { "phase" : "PHONE_NUMBER" , "userId" : "b6b9168c-bb56-4c6a-9c0d-4650ea74f5f9" , "isOtpRequired" : false , "phoneNumber" : null , "accessToken" : null , "verificationState" : null , "isLinked" : false } What this means:
User is stuck at the PHONE_NUMBER verification phase
No accessToken provided because onboarding is incomplete
verificationState is null because KYC hasn’t started yet What to do:
Direct user to continue registration flow
Guide them to the phone verification step
Don’t attempt to use the API until phase is null
When 2FA is enabled, the initial login response requires OTP verification: { "phase" : null , "userId" : "b6b9168c-bb56-4c6a-9c0d-4650ea74f5f9" , "isOtpRequired" : true , "phoneNumber" : "+445*****225" , "accessToken" : null , "verificationState" : "VERIFIED" , "isLinked" : false } What this means:
User has completed onboarding (phase is null)
2FA is enabled (isOtpRequired is true)
OTP will be sent to the masked phone number
accessToken is null until OTP is verified What to do:
Call POST /v1/auth/login/otpuserId
Display OTP input field to user
Show the masked phone number so user knows where to check
Retry POST /v1/auth/loginotpCode parameter
// Step 1: Send OTP await fetch ( '/v1/auth/login/otp' , { method: 'POST' , body: JSON . stringify ({ userId: response . userId }) }); // Step 2: Get OTP from user const otpCode = await promptUserForOtp (); // Step 3: Complete login const finalResponse = await fetch ( '/v1/auth/login' , { method: 'POST' , body: JSON . stringify ({ email: email , password: password , otpCode: otpCode }) }); When authentication is complete without additional steps: { "phase" : null , "userId" : "b6b9168c-bb56-4c6a-9c0d-4650ea74f5f9" , "isOtpRequired" : false , "phoneNumber" : null , "accessToken" : "US_b6b9168a-bb56-4c6a-9c0d-4650ea74f5f9" , "verificationState" : "VERIFIED" , "isLinked" : false } What this means:
Onboarding complete (phase is null)
No 2FA required (isOtpRequired is false)
Valid accessToken provided
User is verified and ready to use the API
What to do:
Store the accessToken securely
Use it in the Authorization: Bearer {token} header
Access token is valid for 6 hours
Consider initiating OAuth flow if isLinked is false and you need long-lived access
The isLinked field determines whether OAuth setup is needed: When isLinked: false: { "accessToken" : "US_b6b9168a-bb56-4c6a-9c0d-4650ea74f5f9" , "isLinked" : false , "verificationState" : "VERIFIED" }
Your OAuth client doesn’t have permission yet
If you need long-lived access (beyond 6 hours), initiate OAuth flow
Use the access token for short-term API access
See OAuth Flow Comparison below
When isLinked: true: { "accessToken" : "US_b6b9168a-bb56-4c6a-9c0d-4650ea74f5f9" , "isLinked" : true , "verificationState" : "VERIFIED" }
Your OAuth client already has permission
You have existing OAuth tokens that can be refreshed
No need to complete OAuth flow again
Use refresh token to get new access tokens without re-login
Using the Access Token After successful login, use the access token in the Authorization header for all authenticated API calls:
curl -X GET https://dev.api.baanx.com/v1/user \ -H "x-client-key: YOUR_CLIENT_KEY" \ -H "Authorization: Bearer US_b6b9168a-bb56-4c6a-9c0d-4650ea74f5f9" Access tokens expire after 6 hours. Implement token refresh logic or require re-authentication when tokens expire.
Common Errors
{ "message" : "Invalid email or password" } Resolution : Verify credentials are correct. Implement password recovery if user has forgotten password.
{ "message" : "User not found" } Resolution : User may need to complete registration first.
{ "message" : "Account is temporarily locked" } Resolution : Account may be locked due to multiple failed login attempts. User should contact support or wait for automatic unlock.OTP Authentication For users with OTP enabled, an additional verification step is required after initial login.
OTP Flow Step 1: Check OTP Requirement After initial login, check the isOtpRequired field:
const loginResponse = await login ( email , password ); if ( loginResponse . isOtpRequired ) { console . log ( 'OTP required. Phone:' , loginResponse . phoneNumber ); await sendOtpCode ( loginResponse . userId ); } Step 2: Send OTP Code Request an OTP code to be sent via SMS to the user’s registered phone number.
Endpoint API Reference: POST /v1/auth/login/otpRequest cURL
JavaScript/TypeScript
Python
curl -X POST https://dev.api.baanx.com/v1/auth/login/otp \ -H "x-client-key: YOUR_CLIENT_KEY" \ -H "Content-Type: application/json" \ -d '{ "userId": "b6b9168c-bb56-4c6a-9c0d-4650ea74f5f9" }'
Response OTP codes are typically valid for 5-10 minutes. Users should enter the code promptly after receiving it.
Step 3: Submit OTP Code Complete login by submitting the OTP code along with the original credentials.
Request cURL
JavaScript/TypeScript
Python
curl -X POST https://dev.api.baanx.com/v1/auth/login \ -H "x-client-key: YOUR_CLIENT_KEY" \ -H "Content-Type: application/json" \ -d '{ "email": "[email protected] ", "password": "SecurePassword123!", "otpCode": "123456" }'
Response { "accessToken" : "US_b6b9168a-bb56-4c6a-9c0d-4650ea74f5f9" , "userId" : "b6b9168c-bb56-4c6a-9c0d-4650ea74f5f9" , "isOtpRequired" : false , "phoneNumber" : null , "phase" : null , "verificationState" : "VERIFIED" , "isLinked" : false } After successful OTP verification, isOtpRequired will be false and the accessToken is fully valid for API calls.
Common OTP Errors
{ "message" : "Invalid OTP code" , "isOtpRequired" : true } Resolution : Ask user to check the code and try again, or request a new OTP code
{ "message" : "OTP code has expired" , "isOtpRequired" : true } Resolution : Request a new OTP code via POST /v1/auth/login/otp
{ "message" : "Too many failed OTP attempts. Please try again later." } Resolution : Wait for rate limit to reset (typically 15-30 minutes) or contact supportComplete OTP Login Example Here’s a complete implementation of the OTP login flow:
JavaScript/TypeScript
Python
class AuthService { private apiBase = 'https://dev.api.baanx.com' ; private clientKey = 'YOUR_CLIENT_KEY' ; async login ( email : string , password : string ) : Promise < LoginResponse > { const response = await fetch ( ` ${ this . apiBase } /v1/auth/login` , { method: 'POST' , headers: { 'x-client-key' : this . clientKey , 'Content-Type' : 'application/json' }, body: JSON . stringify ({ email , password }) }); if ( ! response . ok ) { throw new Error ( `Login failed: ${ response . statusText } ` ); } return response . json (); } async sendOtpCode ( userId : string ) : Promise < void > { const response = await fetch ( ` ${ this . apiBase } /v1/auth/login/otp` , { method: 'POST' , headers: { 'x-client-key' : this . clientKey , 'Content-Type' : 'application/json' }, body: JSON . stringify ({ userId }) }); if ( ! response . ok ) { throw new Error ( 'Failed to send OTP code' ); } } async loginWithOtp ( email : string , password : string , otpCode : string ) : Promise < string > { const response = await fetch ( ` ${ this . apiBase } /v1/auth/login` , { method: 'POST' , headers: { 'x-client-key' : this . clientKey , 'Content-Type' : 'application/json' }, body: JSON . stringify ({ email , password , otpCode }) }); if ( ! response . ok ) { const error = await response . json (); throw new Error ( error . message || 'OTP login failed' ); } const data = await response . json (); return data . accessToken ; } async handleLogin ( email : string , password : string ) : Promise < string > { const loginResult = await this . login ( email , password ); if ( loginResult . isOtpRequired ) { console . log ( 'OTP required. Sending code to:' , loginResult . phoneNumber ); await this . sendOtpCode ( loginResult . userId ); const otpCode = await this . promptUserForOtpCode (); return await this . loginWithOtp ( email , password , otpCode ); } return loginResult . accessToken ; } private async promptUserForOtpCode () : Promise < string > { return new Promise (( resolve ) => { console . log ( 'Please enter the OTP code:' ); }); } } interface LoginResponse { accessToken : string ; userId : string ; isOtpRequired : boolean ; phoneNumber ?: string ; verificationState : string ; } const authService = new AuthService (); authService . handleLogin ( '[email protected] ' , 'SecurePassword123!' ) . then ( accessToken => { console . log ( 'Login successful! Token:' , accessToken ); localStorage . setItem ( 'accessToken' , accessToken ); }) . catch ( error => { console . error ( 'Login failed:' , error ); });
Session Management Token Expiration Access tokens are valid for 6 hours from the time of issuance. After expiration, users must re-authenticate.
Store the token creation time and implement automatic re-authentication when approaching expiration.
Token Storage Store access tokens securely based on your application type:
Web Applications: sessionStorage . setItem ( 'accessToken' , token ); localStorage . setItem ( 'accessToken' , token ); Mobile Applications:
Use secure storage mechanisms (iOS Keychain, Android Keystore)
Never store tokens in plain text files or shared preferences
Backend Applications:
Store in memory or secure session stores (Redis, database)
Use encryption for persistent storage
Token Validation Before making API calls, validate the token hasn’t expired:
function isTokenValid ( token : string , issuedAt : number ) : boolean { const SIX_HOURS_MS = 6 * 60 * 60 * 1000 ; const now = Date . now (); return ( now - issuedAt ) < SIX_HOURS_MS ; } const issuedAt = Date . now (); localStorage . setItem ( 'tokenIssuedAt' , issuedAt . toString ()); if ( ! isTokenValid ( token , parseInt ( issuedAt ))) { await reauthenticate (); } Logout Terminate the current user session and invalidate the access token.
Endpoint API Reference: POST /v1/auth/logoutRequest cURL
JavaScript/TypeScript
Python
curl -X POST https://dev.api.baanx.com/v1/auth/logout \ -H "x-client-key: YOUR_CLIENT_KEY" \ -H "Authorization: Bearer US_b6b9168a-bb56-4c6a-9c0d-4650ea74f5f9"
Response After logout, the access token is immediately invalidated and cannot be used for further API calls.
Login Access Token vs OAuth Tokens Understanding the difference between login access tokens and OAuth tokens helps you choose the right authentication method for your use case.
Why Exchange Tokens at the OAuth Authorize Endpoint? Even though the login accessToken works for API calls, OAuth tokens provide significant advantages for production applications:
Login Access Token Short-Term Direct Access Limitations:
Expires in 6 hours (21,600 seconds)
Cannot be refreshed
Cannot be revoked independently
No granular permission scopes
Best for:
Quick authentication for first-party apps
Short user sessions
Testing and development
Simple integrations
OAuth Tokens Long-Lived Delegated Access Advantages:
Refresh tokens last 7 days (604,800 seconds) for security compliance with financial operations
Can obtain new access tokens without re-login
Can be revoked via /oauth/revoke endpoint
PKCE security (S256 code challenge) prevents interception
Proper delegation model for third-party apps
Granular permission management
Best for:
Long-lived access
Third-party integrations
Mobile applications
Multi-tenant applications
Token Comparison Table Feature Login Access Token OAuth Access Token Lifetime 6 hours 6 hours Obtained From POST /v1/auth/loginPOST /v1/auth/oauth/tokenRefresh Capability None Via refresh token Refresh Token Lifetime N/A 7 days Revocation Expires only Can be revoked Security Model Direct credentials PKCE + OAuth 2.0 Use Case First-party, short sessions Third-party, long-lived access Best Practice Development & testing Production applications
Use Case Examples Use Login Token When
Use OAuth Tokens When
Scenario 1: First-Party Web App // Simple login for your own application const { accessToken } = await login ( email , password ); // Use for the next 6 hours const userData = await fetch ( '/v1/users/me' , { headers: { 'Authorization' : `Bearer ${ accessToken } ` } }); Scenario 2: Short Testing Session # Quick API testing curl -X GET "https://api.example.com/v1/wallets" \ -H "Authorization: Bearer US_b6b9168a-bb56-4c6a-9c0d-4650ea74f5f9" Scenario 3: Admin Tools
Internal admin dashboards
Short-lived debugging sessions
One-time data exports
Scenario 1: Mobile Application // Initial OAuth flow (once) const { access_token , refresh_token } = await completeOAuthFlow (); // Use access token for 6 hours await makeAPICall ( access_token ); // After 6 hours, refresh without re-login const newTokens = await refreshToken ( refresh_token ); // Continue for up to 7 days without user interaction Scenario 2: Third-Party Integration // Partner application accessing user data const oauthTokens = await getOAuthTokensForUser ( userId ); // Can be revoked by user at any time // Proper permission scopes // Audit trail of access Scenario 3: Long-Running Background Services
Scheduled reports sent via email
Data synchronization services
Monitoring and alerting systems
Automated financial operations
Important Future Change: The platform will eventually require OAuth tokens for all API endpoints. The login accessToken will only work for initial OAuth authorization steps. Plan your implementation accordingly.
Migration Strategy If you’re currently using login access tokens:
Identify Long-Lived Sessions
Determine which parts of your application need access beyond 6 hours
Implement OAuth Flow
Add OAuth 2.0 authorization for those long-lived sessions
Implement Token Refresh
Use refresh tokens to maintain sessions without re-authentication
Test Revocation
Ensure your app handles token revocation gracefully
Monitor Token Expiry
Track refresh token expiration (7 days) and prompt re-authentication
OAuth 2.0 Authentication For third-party applications, OAuth 2.0 provides delegated authorization without exposing user credentials.
OAuth Flow Overview Hosted UI Mode (4 Steps)
API Mode (5 Steps)
Token Types Explained
PKCE Implementation
Token Types in OAuth Flow The OAuth flow uses different tokens for different purposes: Token Type Used In Purpose Lifetime Where Used JWT Token API Mode only OAuth session tracking 10 minutes Request body in Step 3 (POST /oauth/authorize) Login Access Token API Mode only User authentication proof 6 hours Authorization header in Step 3 (POST /oauth/authorize) OAuth Access Token Both modes API authentication 6 hours Authorization header for all API calls Refresh Token Both modes Token renewal 7 days Request body when refreshing (POST /oauth/token)
Important Distinctions: JWT Token (Step 1 in API mode) :
Only for OAuth flow session
Expires in 10 minutes
Never used for API calls
Sent in request body to POST /oauth/authorize
Login Access Token (Step 2 in API mode) :
Proves user authenticated in your app
Used in Authorization: Bearer header for POST /oauth/authorize
Different from the OAuth access token you’ll get in Step 4
Only needed to complete OAuth flow
OAuth Access Token (Step 4) :
THIS is what you use for all API calls
Expires in 6 hours
Renewable via refresh token
Sent in Authorization: Bearer {token} header
Refresh Token (Step 4) :
Long-lived (7 days)
Used to get new access tokens without re-login
Send to POST /oauth/token with grant_type=refresh_token
Don’t confuse the login access token (Step 2, API mode) with the OAuth access token (Step 4). The login token is only for completing the OAuth flow. The OAuth access token is for actual API calls.
Proof Key for Code Exchange (PKCE) PKCE is mandatory for security. Here’s how to implement it: 1. Generate Code Verifier (random 43-128 characters):function generateCodeVerifier () { const array = new Uint8Array ( 32 ); crypto . getRandomValues ( array ); return base64URLEncode ( array ); } 2. Create Code Challenge (SHA256 + Base64URL):async function generateCodeChallenge ( verifier ) { const encoder = new TextEncoder (); const data = encoder . encode ( verifier ); const hash = await crypto . subtle . digest ( 'SHA-256' , data ); return base64URLEncode ( new Uint8Array ( hash )); } 3. Full Implementation :// Step 1: Generate and store const codeVerifier = generateCodeVerifier (); const codeChallenge = await generateCodeChallenge ( codeVerifier ); sessionStorage . setItem ( 'code_verifier' , codeVerifier ); // Store safely! // Step 1: Send challenge const initResponse = await fetch ( `/v1/auth/oauth/authorize/initiate?` + `code_challenge= ${ codeChallenge } &` + `code_challenge_method=S256&...` ); // Step 4: Send verifier const tokenResponse = await fetch ( '/v1/auth/oauth/token' , { method: 'POST' , body: JSON . stringify ({ grant_type: 'authorization_code' , code: authCode , code_verifier: sessionStorage . getItem ( 'code_verifier' ), // Retrieve stored value redirect_uri: 'https://yourapp.com/callback' }) }); Python Implementation :import hashlib import base64 import secrets def generate_code_verifier (): return base64.urlsafe_b64encode(secrets.token_bytes( 32 )).decode( 'utf-8' ).rstrip( '=' ) def generate_code_challenge ( verifier ): digest = hashlib.sha256(verifier.encode( 'utf-8' )).digest() return base64.urlsafe_b64encode(digest).decode( 'utf-8' ).rstrip( '=' ) Security : Never expose code_verifier in URLs, logs, or client-side code. Store it securely (sessionStorage, secure cookie, or backend session) between Steps 1 and 4.
When to Use OAuth Use OAuth 2.0 when:
Building third-party integrations
Providing API access to external partners
Creating multi-tenant applications
Implementing “Login with [Your Service]” buttons
Quick Start OAuth 2.0 implementation involves 4 steps:
Initiate Authorization
Request authorization from the user via GET /v1/auth/oauth/authorize/initiate
User Authentication
User authenticates on hosted UI (or via API-mode login)
Generate Authorization Code
Receive authorization code after user approval
Exchange for Tokens
Exchange code for access and refresh tokens via POST /v1/auth/oauth/token
For complete OAuth 2.0 implementation details, see the OAuth 2.0 Guide and API reference documentation. OAuth vs Standard Login Feature Standard Login OAuth 2.0 Use Case First-party apps Third-party integrations User Credentials Handled by your app Never exposed to your app Token Lifetime 6 hours Access: 6 hours, Refresh: 7 days Token Refresh Re-authenticate Use refresh token Delegation Direct access Scoped permissions
Best Practices
Secure Storage Always store access tokens securely. Never expose tokens in URLs, logs, or client-side code repositories.
HTTPS Only All authentication requests must use HTTPS in production. Never send credentials over unencrypted connections.
Rate Limiting Implement exponential backoff for failed login attempts to prevent brute force attacks.
Token Rotation Rotate tokens periodically and after sensitive operations. Invalidate tokens on password changes.
Error Handling Don’t leak sensitive information in error messages. Use generic messages like “Invalid credentials” instead of “User not found” or “Wrong password”.
OTP Timeout Implement countdown timers for OTP codes to improve UX. Show “Resend code” option after timeout.
Security Considerations Password Security
Never store passwords in plain text
Use secure password hashing (bcrypt, Argon2)
Implement password strength requirements
Enforce password rotation policies
Prevent password reuse
Multi-Factor Authentication OTP provides an additional security layer:
SMS-based codes (current implementation)
Consider supporting authenticator apps (TOTP)
Implement backup codes for account recovery
Allow users to enable/disable MFA
Account Protection
Lock accounts after multiple failed login attempts
Implement CAPTCHA after failed attempts
Send security alerts for suspicious logins
Log all authentication events for audit
Token Security
Use short-lived access tokens (6 hours)
Implement token rotation for refresh tokens
Invalidate all tokens on password change
Provide “Log out all devices” functionality
Troubleshooting Login Failures
Credentials Work in One Environment But Not Another
Cause : Trying to use production credentials in sandbox or vice versaResolution : Ensure you’re using the correct x-us-env header and credentials for each environment
Cause : Token expired, invalid format, or wrong environmentResolution :
Check token expiration (6-hour limit)
Verify token format includes environment prefix (e.g., “US_…”)
Ensure x-client-key matches the environment that issued the token
Cause : Phone number issues, carrier blocking, or delayResolution :
Verify phone number is correct and can receive SMS
Check spam/blocked messages on device
Wait 2-3 minutes for delivery delays
Request a new code if needed
Integration Issues Common issues when integrating authentication:
Missing Headers: # Wrong curl -X POST https://dev.api.baanx.com/v1/auth/login # Correct curl -X POST https://dev.api.baanx.com/v1/auth/login \ -H "x-client-key: YOUR_CLIENT_KEY" \ -H "Content-Type: application/json" Wrong Token Format: // Wrong headers : { 'Authorization' : accessToken } // Correct headers : { 'Authorization' : `Bearer ${ accessToken } ` } Environment Mismatch: // Production credentials with sandbox endpoint const response = await fetch ( 'https://dev.api.baanx.com/v1/auth/login' , { headers: { 'x-client-key' : 'PRODUCTION_KEY' } }); // Ensure credentials match environment Complete Authentication Example Full implementation with error handling and token management:
JavaScript/TypeScript
Python
class AuthManager { private apiBase : string ; private clientKey : string ; private tokenKey = 'accessToken' ; private tokenTimeKey = 'tokenIssuedAt' ; constructor ( apiBase : string , clientKey : string ) { this . apiBase = apiBase ; this . clientKey = clientKey ; } private get headers () { return { 'x-client-key' : this . clientKey , 'Content-Type' : 'application/json' }; } private get authHeaders () { const token = this . getToken (); return { ... this . headers , 'Authorization' : `Bearer ${ token } ` }; } async login ( email : string , password : string ) : Promise < string > { try { const response = await fetch ( ` ${ this . apiBase } /v1/auth/login` , { method: 'POST' , headers: this . headers , body: JSON . stringify ({ email , password }) }); if ( ! response . ok ) { throw new Error ( 'Login failed' ); } const data = await response . json (); if ( data . isOtpRequired ) { await this . sendOtpCode ( data . userId ); const otpCode = await this . getOtpFromUser (); return await this . loginWithOtp ( email , password , otpCode ); } this . storeToken ( data . accessToken ); return data . accessToken ; } catch ( error ) { console . error ( 'Login error:' , error ); throw error ; } } async sendOtpCode ( userId : string ) : Promise < void > { const response = await fetch ( ` ${ this . apiBase } /v1/auth/login/otp` , { method: 'POST' , headers: this . headers , body: JSON . stringify ({ userId }) }); if ( ! response . ok ) { throw new Error ( 'Failed to send OTP' ); } } async loginWithOtp ( email : string , password : string , otpCode : string ) : Promise < string > { const response = await fetch ( ` ${ this . apiBase } /v1/auth/login` , { method: 'POST' , headers: this . headers , body: JSON . stringify ({ email , password , otpCode }) }); if ( ! response . ok ) { throw new Error ( 'OTP verification failed' ); } const data = await response . json (); this . storeToken ( data . accessToken ); return data . accessToken ; } async logout () : Promise < void > { try { await fetch ( ` ${ this . apiBase } /v1/auth/logout` , { method: 'POST' , headers: this . authHeaders }); } finally { this . clearToken (); } } storeToken ( token : string ) : void { localStorage . setItem ( this . tokenKey , token ); localStorage . setItem ( this . tokenTimeKey , Date . now (). toString ()); } getToken () : string | null { const token = localStorage . getItem ( this . tokenKey ); if ( ! token ) return null ; if ( ! this . isTokenValid ()) { this . clearToken (); return null ; } return token ; } clearToken () : void { localStorage . removeItem ( this . tokenKey ); localStorage . removeItem ( this . tokenTimeKey ); } isTokenValid () : boolean { const issuedAt = localStorage . getItem ( this . tokenTimeKey ); if ( ! issuedAt ) return false ; const SIX_HOURS_MS = 6 * 60 * 60 * 1000 ; const elapsed = Date . now () - parseInt ( issuedAt ); return elapsed < SIX_HOURS_MS ; } isAuthenticated () : boolean { return this . getToken () !== null ; } private async getOtpFromUser () : Promise < string > { return prompt ( 'Enter OTP code:' ) || '' ; } } const authManager = new AuthManager ( 'https://dev.api.baanx.com' , 'YOUR_CLIENT_KEY' ); authManager . login ( '[email protected] ' , 'SecurePassword123!' ) . then (() => console . log ( 'Login successful' )) . catch ( error => console . error ( 'Login failed:' , error ));
Next Steps After successful authentication:
Make Authenticated Requests : Use the access token for all API callsCheck Verification Status : Verify user’s KYC status via Profile Management Implement Token Refresh : Plan for token expiration and re-authentication
