Authentication is performed via the JSON Web Tokens standard. A JWT must be sent as a standard Authorization Bearer token on each request. Obtaining a token requires having API credentials.

Creating API Credentials

Integrators provision and rotate API credentials in the Integration Dashboard through a GoTab Sandbox Account. If you are not already a GoTab API User or do not have a sandbox account please contact [email protected]. Review API Credential Creation for more information.

The two credentials provided are an api_access_id and api_access_secret.

Requesting an Access Token

The API credentials api_access_id and api_access_secret need to be included in the request body and response body will return a token and refreshToken.

curl --request POST \
     --url \
     --header 'Accept: application/json' \
     --header 'Content-Type: application/json' \
     --data '
     "api_access_id": "string",
     "api_access_secret": "string"
    "tokenType": "Bearer",
    "token": "",
    "initiated": 1659020513,
    "expires": 1659106913,
    "expiresIn": 86400,
    "refreshToken": ""

The token is short lived and will expire after 24 hours. It is recommended to refresh your token before 24 hours has elapsed to avoid disruptions. The refresh token does not expire but you will be required to generate a new auth and refresh token if they are revoked.


Refresh Token Errors

An auth token may be revoked at any time so it is also recommended to gracefully handle token expiration errors.

  • When a token is expired or has been revoked a 401 error is returned and the request can be retried.
  • When a token is invalid a 403 error is returned and you should not retry the request without modifying the data.