Skip to main content
Get a bearer token

Get a bearer token

Exchanges a customer’s email address and password for a short-lived bearer token and a refresh token. Every authenticated API call in the Members Portal uses the access_token returned here as a Bearer credential. Pass totp when the customer has two-factor authentication enabled — omitting it when 2FA is active will return a two_factor_auth_check error.
Unlike most Nexudus API endpoints, this request must be encoded as application/x-www-form-urlencoded, not application/json. Sending a JSON body will result in an unsupported_grant_type error.

Authentication

No authentication required. This is the endpoint that issues credentials.

Request Body

grant_type
string
required
Grant flow to use. Must be password for email/password authentication.
username
string
required
The customer’s email address.
password
string
required
The customer’s password.
totp
string
Time-based One-Time Password for two-factor authentication. Required when the customer has 2FA enabled; omit otherwise.

Headers

client_id
string
A unique identifier for the client application or integration. If omitted, this defaults to the customer’s email address, which you must then use as the client_id when refreshing the token.

Response

access_token
string
Bearer token to include in the Authorization header of all subsequent authenticated requests.
token_type
string
Token scheme. Always bearer.
expires_in
number
Lifetime of the access token in seconds.
refresh_token
string
Token used to obtain a new access_token after it expires, without requiring the customer to re-enter their password.

Examples

Successful sign-in

Sign-in with client identifier

Providing a client_id is optional. If you provide one, you must use the same value when refreshing the token. If omitted, the customer’s email address is used as the client_id, which you must then pass to the refresh endpoint.

Sign-in with two-factor authentication

TypeScript Integration

Usage in Portal

Error Responses

400 Bad Request — unsupported_grant_type
error
The grant_type field is missing or the body was not encoded as application/x-www-form-urlencoded.
400 Bad Request — invalid_grant
error
Credentials are incorrect, the customer is not registered with this location, or the account has been suspended. The error_description field contains a human-readable reason.
400 Bad Request — two_factor_auth_check
error
The customer has 2FA enabled but totp was not supplied or the supplied code is invalid. Prompt the customer for their one-time code and retry.
400 Bad Request — must_reset_password
error
The customer is required to reset their password before signing in. The error_description field contains a password-reset token to pass to the reset-password flow.