> For the complete documentation index, see [llms.txt](https://support.portsip.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://support.portsip.com/development-portsip/rest-apis/version-22.2/get-started/authentication-and-authorization.md).

# Authentication and Authorization

#### PortSIP REST API uses Bearer Token Authentication:

* Communication with the PortSIP REST API requires authentication.
* The API utilizes Bearer token authentication, also known as token authentication.
* A bearer token is a unique, opaque string generated by the server in response to a successful login request.
* Clients must include this token in the Authorization header for accessing protected resources.

#### Obtaining an Access Token

* The Account Login API endpoint is used to acquire an access token.
* Upon successful login, the server sends a JSON response containing the access token within the `access_token`, `refresh_tokne` fields, along with additional details like expiry information and user role.

**Example Access Token Response:**

```json
{
    "access_token": "NGMZZGRMZMQTNJG4YS0ZMJY3LWI1MTUTNWZJYTDIZDA4ODAY",
    "expires_in": 3600,
    "refresh_token": "NTU4Y2UXODATYJYZZC01OGI3LTKZMTATZGQ5ZGM1ODCZMDDM",
    "token_type": "Bearer"
}
```

#### Access Token Lifetime and Refresh

* Access tokens have a limited lifespan indicated by either expires\_at or expires\_in fields in the response.
* The `expires_in` value represents the duration in seconds until the token expires (e.g., 3600 seconds for one hour).
* Before expiration, refresh the `access_token` using the refresh token API with the `refresh_token` to obtain a new one.
* Re-use the access token until it expires to optimize API calls.
