Skip to end of metadata
Go to start of metadata

Authentication Service

For authentication into the Sandbox API, please see the following wiki page: Sandbox API Authentication.

Before you use the API, you will need to use your username and password to get an authorization token. To get the token, make a POST request to with a JSON file containing your auth credentials.

This will return a JSON response with the token. You then have two options:

  • put the token in the header in future requests as Authorization: TOKEN or
  • put it in a cookie using the method discussed below (recommended).

If you do not have a username and password, please contact your Xandr representative.

For an explanation of the errors that you may encounter during and after authentication, see the "Errors" section in API Semantics.


Create a JSON-formatted text file with your username and password. Below we have used the cat command to show the output of an example file.

Then make a POST request using the "auth" file. The authorization request both sets a session cookie (IBAPI_SESSID) and returns a token in JSON. Note that we used the "verbose" parameter in the below example.

This token can now be used to make a request from the API:

Alternatively, we can use the cookie. This is the recommended method and the notation we use in our examples. Here is an example using the Member Service.

You can authenticate successfully 10 times within a 5-minute period. Any subsequent authentication attempts within those 5 minutes will result in an error.

When you authenticate, you receive an authorization token that remains active for the 2 hours following your most recent call. It is best practice to re-authenticate only after you receive the "NOAUTH" error_id in your call responses. If you follow this practice, the restraint above should have no impact on your implementation.

In addition, the service will add a 24-hour hard expiry. When an API session reaches the 24 hour mark, that session will expire, regardless of when the most recent API call was made. The current behavior, in which a session expires after two hours of inactivity on the part of the client, will remain unchanged. Programs that follow the guidelines in API Best Practices should not be affected.

  • No labels