The general process to use token authentication is as follows:

Get a short-lived authentication access token and a long-lived refresh token.
Refresh the access token as needed by using a refresh token.
Use the "Bearer" HTTP header to make requests to the REST API or the Public API.

Access tokens are generally short-lived and you should not assume they last for more than a few minutes or hours.

🚧
Heads up!
You should always keep your refresh tokens secure, treat them as passwords.

Authentication and Refresh Token

Gets a short-lived access token and a long-lived refresh token.

POST https://spaces.nexudus.com/api/token
grant_type=password&username=:email&password=:password

📘
Content-type
Do not send a JSON body as part of this request. The grant_type and username parameters must be passed in as raw text in the body of the request

Header	Type	Description
client_id	string	Optional*. A unique identifier for the client making these requests. A single refresh token will be created per client, existing tokens for a given client_id are invalidated when a new token is requested for that client_id. If no client_id header is passed, the client id would be set to your email. The client_id parameter can be generated by you. We recommend this to be a unique global identifier. You can generate these from https://www.guidgenerator.com. Make sure to use the same client_id for all requests made by the same app.

{
  "access_token": "v8hNJebN2....",
  "token_type": "bearer",
  "expires_in": 604799,
  "refresh_token": "2669808..."
}

{
  "error": "invalid_grant",
  "error_description": "The user name or password is incorrect."
}

Refresh Access Token

Gets a new short-lived access token based on a refresh token. Refreshing a token for a client ID will invalidate all previous refresh tokens for that client ID but not existing Access Tokens that may not have expired.Refresh Tokens are valid for 15 days. If your refresh token has expired, you will need to use a username and password to create a new access token.

POST https://spaces.nexudus.com/api/token
Body:
grant_type=refresh_token&refresh_token=2669808...

📘
Content-type
Do not send a JSON body as part of this request. The grant_type and username parameters must be passed in as raw text in the body of the request

Header	Type	Description
client_id	string	Required*. The client id to refresh the access token for. This must the same as the client id you passed in when creating the access token. If you did not pass a client_id header to get the initial token, you must pass the email used to obtain the initial token as the client_id header to refresh it.