Skip to Content
ERPX Documentation — Your complete guide to the ERPX platform
API ReferenceAuthentication

Authentication

ERPX API uses Bearer Token authentication. All API requests must include a valid token in the Authorization header.

Obtaining a Token

Login Endpoint

POST /api/v1/auth/login

Request Body:

{ "email": "user@company.com", "password": "your-password" }

Response:

{ "success": true, "data": { "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", "refreshToken": "dGhpcyBpcyBhIHJlZnJlc2ggdG9rZW4...", "expiresIn": 3600, "user": { "id": "usr_123", "email": "user@company.com", "name": "John Doe", "role": "Administrator" } } }

Using the Token

Include the token in all subsequent requests:

curl -X GET https://your-instance.erpx.io/api/v1/items \ -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

Token Refresh

Tokens expire after 1 hour. Use the refresh token to obtain a new access token:

POST /api/v1/auth/refresh
{ "refreshToken": "dGhpcyBpcyBhIHJlZnJlc2ggdG9rZW4..." }

API Keys

For server-to-server integrations, use API keys instead of user tokens:

Creating an API Key

  1. Navigate to Settings → API Keys
  2. Click Generate New Key
  3. Set permissions and expiry
  4. Copy the key (shown only once)

Using API Keys

curl -X GET https://your-instance.erpx.io/api/v1/items \ -H "X-API-Key: erpx_key_xxxxxxxxxxxxxxxxxxxx"

API keys provide direct access to your ERPX data. Store them securely and never expose them in client-side code.

OAuth 2.0

For third-party application integrations, ERPX supports OAuth 2.0 Authorization Code flow:

Step 1: Authorization Request

Redirect users to:

GET https://your-instance.erpx.io/oauth/authorize? client_id=YOUR_CLIENT_ID& redirect_uri=https://your-app.com/callback& response_type=code& scope=read write

Permissions

API access respects the same role-based permissions as the web interface:

ScopeDescription
readRead access to all permitted resources
writeCreate and update resources
deleteDelete resources
adminAdministrative operations

Security Best Practices

  • Rotate tokens regularly
  • Use HTTPS for all API calls
  • Limit API key scopes to minimum required permissions
  • Monitor API usage via the audit log
  • Implement IP whitelisting for production API keys