API reference

Get access token

Exchange your client credentials for a short-lived Bearer access token. Cache and reuse it until it nears expiry.

POST/v1/auth/token

Body parameters

grant_typestringrequired
Must be client_credentials.
client_idstring (UUID)required
Your public client identifier.
client_secretstringrequired
Your secret. The prefix (hpr_test_ / hpr_live_) decides the mode.

Request

POST /v1/auth/token

curl -X POST "https://<your-b2b-host>/v1/auth/token" \
  -H "Content-Type: application/json" 
  -d '{"grant_type":"client_credentials","client_id":"<client_id>","client_secret":"<client_secret>"}'

Response

Tokens currently live 1 hour (expires_in: 3600). The mode reflects which secret you used and is echoed on every authenticated response via the X-Hoopr-Mode header.

{
  "data": {
    "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "token_type": "Bearer",
    "expires_in": 3600,
    "scope": "catalog:read search",
    "mode": "test"
  },
  "error": { "code": 0, "message": "Token issued" }
}

Errors

HTTP	error.type	Meaning
400	invalid_request	Missing or malformed body fields.
401	invalid_client	Unknown client_id or wrong client_secret.
403	client_inactive	The client has been deactivated.
429	rate_limited	More than 30 token requests/minute.

PreviousVersioning Next List tracks