The DataExchange API uses bearer authentication. Upon authentication, the client receives a JWT token that it includes in the Authorization header of each subsequent request.
The API user must be a member of the Device Sync user group. This group is dedicated to integrations and synchronizations — its members have access to DataExchange endpoints, but they don't necessarily have access to the web interface.
Endpoint:
POST /auth/login
Request:
{
"userName": "syncics",
"password": "samepassword",
"locationCode": ""
}
Response: JWT token valid for 6 hours.
The token expires after 6 hours. The client application must handle renewal — either by periodic reauthentication or by automatically re-authenticating upon receipt of a 401 (Unauthorized) response.
The locationCode field is used internally by the Retail module to set the functional point of sale. It has no effect on API requests — it can be left blank (string empty) for all non-Retail integrations.
<!-- SCREENSHOT: Swagger — /auth/login endpoint with request and response -->