Authentication
ERPX API uses Bearer Token authentication. All API requests must include a valid token in the Authorization header.
Obtaining a Token
Login Endpoint
POST /api/v1/auth/loginRequest Body:
{
"email": "user@company.com",
"password": "your-password"
}Response:
{
"success": true,
"data": {
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"refreshToken": "dGhpcyBpcyBhIHJlZnJlc2ggdG9rZW4...",
"expiresIn": 3600,
"user": {
"id": "usr_123",
"email": "user@company.com",
"name": "John Doe",
"role": "Administrator"
}
}
}Using the Token
Include the token in all subsequent requests:
curl -X GET https://your-instance.erpx.io/api/v1/items \
-H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."Token Refresh
Tokens expire after 1 hour. Use the refresh token to obtain a new access token:
POST /api/v1/auth/refresh{
"refreshToken": "dGhpcyBpcyBhIHJlZnJlc2ggdG9rZW4..."
}API Keys
For server-to-server integrations, use API keys instead of user tokens:
Creating an API Key
- Navigate to Settings → API Keys
- Click Generate New Key
- Set permissions and expiry
- Copy the key (shown only once)
Using API Keys
curl -X GET https://your-instance.erpx.io/api/v1/items \
-H "X-API-Key: erpx_key_xxxxxxxxxxxxxxxxxxxx"API keys provide direct access to your ERPX data. Store them securely and never expose them in client-side code.
OAuth 2.0
For third-party application integrations, ERPX supports OAuth 2.0 Authorization Code flow:
Permissions
API access respects the same role-based permissions as the web interface:
| Scope | Description |
|---|---|
read | Read access to all permitted resources |
write | Create and update resources |
delete | Delete resources |
admin | Administrative operations |
Security Best Practices
- Rotate tokens regularly
- Use HTTPS for all API calls
- Limit API key scopes to minimum required permissions
- Monitor API usage via the audit log
- Implement IP whitelisting for production API keys