Authentication

The Dispatch API uses token-based authentication. This guide explains how to authenticate your API requests.

Overview

Authentication Method

Dispatch uses Bearer token authentication:

Generate an API token from the portal
Include token in request headers
Token provides access to your business data

Token Types

Two types of authentication:

API Tokens - For server-to-server integrations
User Tokens - For user session authentication (portal login)

API Tokens

Generating Tokens

Create an API token:

Log into Dispatch Management Portal
Navigate to Settings > API Access
Click "Generate New Token"
Provide a description for the token
Copy and securely store the token

Token Display

Important

API tokens are displayed only once at creation. Copy and store securely - you cannot retrieve it later.

Token Format

API tokens are long random strings:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Using Tokens

Authorization Header

Include the token in the Authorization header:

Authorization: Bearer YOUR_API_TOKEN

Example Request

curl -X GET "https://api.dispatch.example.com/api/v1/Orders" \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..." \
  -H "Accept: application/json"

Multiple Languages

JavaScript/Node.js

const response = await fetch('https://api.dispatch.example.com/api/v1/Orders', {
  headers: {
    'Authorization': 'Bearer YOUR_API_TOKEN',
    'Content-Type': 'application/json'
  }
});

Python

import requests

headers = {
    'Authorization': 'Bearer YOUR_API_TOKEN',
    'Content-Type': 'application/json'
}

response = requests.get(
    'https://api.dispatch.example.com/api/v1/Orders',
    headers=headers
)

C#

var client = new HttpClient();
client.DefaultRequestHeaders.Authorization =
    new AuthenticationHeaderValue("Bearer", "YOUR_API_TOKEN");

var response = await client.GetAsync(
    "https://api.dispatch.example.com/api/v1/Orders"
);

Token Management

Viewing Tokens

See all active tokens:

Go to Settings > API Access
View list of tokens
See creation date and last used

Token Details

For each token:

Description/name
Creation date
Last used date
Status (active/revoked)

Revoking Tokens

Revoke tokens that are no longer needed:

Go to Settings > API Access
Find the token
Click "Revoke"
Confirm revocation

warning

Revoking a token immediately invalidates it. Any systems using it will stop working.

User Authentication

For user-facing applications:

User provides credentials
Authenticate via login endpoint
Receive session token
Use token for subsequent requests

POST /api/user/login

Request body:

{
  "email": "[email protected]",
  "password": "userpassword"
}

Registration

New user registration:

POST /api/user/register

Request body:

{
  "email": "[email protected]",
  "password": "password",
  "confirmPassword": "password",
  "firstName": "John",
  "lastName": "Doe",
  "acceptedTerms": true
}

Email Verification

Verify user email:

POST /api/user/verify

Security Best Practices

Token Security

Never expose tokens - Don't include in client-side code
Use environment variables - Store tokens securely
HTTPS only - Always use encrypted connections
Limit distribution - Only share with necessary systems

Token Rotation

Regularly rotate tokens:

Generate new token
Update systems to use new token
Verify new token works
Revoke old token

Monitoring

Monitor token usage:

Track API calls per token
Watch for unusual patterns
Investigate anomalies
Set up alerts for suspicious activity

Compromised Tokens

If a token is compromised:

Revoke immediately - Stop the token
Generate new - Create replacement
Update systems - Deploy new token
Investigate - Determine how it leaked
Audit - Check for unauthorized access

Error Handling

Authentication Errors

Code	Error	Description
401	Unauthorized	Missing or invalid token
403	Forbidden	Valid token but insufficient permissions

Error Response

{
  "success": false,
  "error": {
    "code": "UNAUTHORIZED",
    "message": "Invalid or expired authentication token"
  }
}

Troubleshooting

401 Unauthorized:

Check token is included in request
Verify token format is correct
Confirm token hasn't been revoked
Check for typos in header name

403 Forbidden:

Token valid but lacks permission
Check user/token access level
Verify plan includes feature

API Token vs User Token

Aspect	API Token	User Token
Purpose	Server integration	User session
Duration	Long-lived	Session-based
Creation	Manual in portal	Via login
Scope	Full API access	User permissions
Revocation	Manual	Logout/expiry

Rate Limiting

Per-Token Limits

Rate limits apply per token:

Each token has separate quota
Limits reset periodically
Check headers for status

Rate Limit Headers

X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 950
X-RateLimit-Reset: 1234567890

Handling Rate Limits

When rate limited (429 response):

Stop making requests
Wait for reset time
Implement exponential backoff
Consider request batching

Overview​

Authentication Method​

Token Types​

API Tokens​

Generating Tokens​

Token Display​

Token Format​

Using Tokens​

Authorization Header​

Example Request​

Multiple Languages​

JavaScript/Node.js​

Python​

C#​

Token Management​

Viewing Tokens​

Token Details​

Revoking Tokens​

User Authentication​

Login Flow​

Login Endpoint​

Registration​

Email Verification​

Security Best Practices​

Token Security​

Token Rotation​

Monitoring​

Compromised Tokens​

Error Handling​

Authentication Errors​

Error Response​

Troubleshooting​

API Token vs User Token​

Rate Limiting​

Per-Token Limits​

Rate Limit Headers​

Handling Rate Limits​