Our API platform uses OAuth 2.0 for secure authentication. This section outlines the authentication flow from vendor onboarding to API access.

Authentication Process

The authentication process consists of three main steps:

Detailed Authentication Steps

1

Vendor Onboarding & API Credentials

  • A vendor is registered internally in the Charp.ai system
  • The system provides the vendor with a unique Client ID & Secret Key
  • Vendor account is assigned a plan (Free, Standard, Enterprise)
These credentials should be securely stored as they will be required for all API authentication.
2

Authentication & Token Retrieval

  • Vendors use their Client ID & Secret to request an access token
  • The request is sent to the /auth/token endpoint
  • Upon successful authentication, an access token is returned
Request
curl -X POST https://api.charp.ai/auth/token \
  -H "Content-Type: application/json" \
  -d '{
    "client_id": "your_client_id",
    "client_secret": "your_client_secret"
  }'
Response
{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "def50200..."
}
3

Accessing APIs

  • The access token is included in all API requests via the Authorization header
  • The token grants access to Brand, Campaign, and Tools APIs based on the vendor’s plan
  • Token validity is checked for each request
Example API Request
curl -X GET https://api.charp.ai/brands \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
Access tokens expire after the time specified in expires_in (typically 1 hour). Use the refresh token to obtain a new access token when needed.

Token Refresh

When an access token expires, you can use the refresh token to obtain a new one without requiring the client credentials again:
Refresh Token Request
curl -X POST https://api.charp.ai/auth/refresh \
  -H "Content-Type: application/json" \
  -d '{
    "refresh_token": "def50200..."
  }'
Response
{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "ghi60300..."
}

Security Best Practices

Store Credentials Securely

Never hardcode credentials in client-side code or version control systems.

Implement Token Rotation

Regularly refresh tokens and implement proper token lifecycle management.

Use HTTPS

Always use HTTPS for all API communication to ensure data encryption.

Validate Responses

Always validate API responses and implement proper error handling.

Next Steps

Now that you understand the authentication flow, proceed to explore the specific API Endpoints available for your integration.