# Authentication and Authorization

#### PortSIP REST API uses Bearer Token Authentication:

* Communication with the PortSIP REST API requires authentication.
* The API utilizes Bearer token authentication, also known as token authentication.
* A bearer token is a unique, opaque string generated by the server in response to a successful login request.
* Clients must include this token in the Authorization header for accessing protected resources.

#### Obtaining an Access Token

* The Account Login API endpoint is used to acquire an access token.
* Upon successful login, the server sends a JSON response containing the access token within the `access_token`, `refresh_tokne` fields, along with additional details like expiry information and user role.

**Example Access Token Response:**

```json
{
    "access_token": "NGMZZGRMZMQTNJG4YS0ZMJY3LWI1MTUTNWZJYTDIZDA4ODAY",
    "expires_in": 3600,
    "refresh_token": "NTU4Y2UXODATYJYZZC01OGI3LTKZMTATZGQ5ZGM1ODCZMDDM",
    "token_type": "Bearer"
}
```

#### Access Token Lifetime and Refresh

* Access tokens have a limited lifespan indicated by either expires\_at or expires\_in fields in the response.
* The `expires_in` value represents the duration in seconds until the token expires (e.g., 3600 seconds for one hour).
* Before expiration, refresh the `access_token` using the refresh token API with the `refresh_token` to obtain a new one.
* Re-use the access token until it expires to optimize API calls.