Authentication | Kard API

Kard API

The Kard API supports authentication via OAuth2.0’s client credentials. Issuer client will be provided client_id and client_secret by Kard.

Kard Authentication API v2

Use the new Kard Authentication API endpoint. Each client will have their own dedicated subdomain, which will be provided by Kard.

The API follows OAuth2.0 client credentials flow and requires:

Authorization header: Basic authentication with base64 encoded {client_id}:{client_secret}
Content-Type header: Must be set to application/x-www-form-urlencoded
Request body: Form data with grant_type=client_credentials

1 const axios = require('axios');
2 
3 const config = {
4     method: 'POST',
5     url: 'https://{your-client-subdomain}.getkard.com/v2/auth/token',
6     headers: {
7         'Authorization': 'Basic {base64_encoded_client_id:client_secret}',
8         'Content-Type': 'application/x-www-form-urlencoded'
9     },
10     data: 'grant_type=client_credentials'
11 };
12 
13 axios(config)
14 .then(function (response) {
15     console.log(JSON.stringify(response.data));
16 })
17 .catch(function (error) {
18     console.log(error);
19 });

Replace {your-client-subdomain} with the subdomain provided by Kard for your organization. The returned access token must be used in the Authorization header as a bearer token in subsequent requests.

Response Examples

The API returns standard HTTP status codes:

200: Successful authentication with access token
400: Bad request (missing Authorization header or invalid grant_type)
401: Unauthorized (invalid credentials)
404: Not found (client not found)
500: Internal server error

Example Successful Response:

1 {
2     "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c",
3     "token_type": "Bearer",
4     "expires_in": 3600
5 }

Direct Cognito (Deprecated)

DEPRECATED: The direct Cognito authentication method is deprecated and will be discontinued soon. Please migrate to the new Authentication API v2 above.

GET Session Token request in root directory
baseURL: https://test-rewards-api.auth.us-east-1.amazoncognito.com
{clientHash}: base64 encoded copy of {client_id}:{client_secret}, provided in the postman_environment.json.

1 const axios = require('axios');
2 
3 const config = {
4     method: 'POST',
5     url: 'https://test-rewards-api.auth.us-east-1.amazoncognito.com/oauth2/token?grant_type=client_credentials',
6     headers: {
7         'Content-Type': 'application/x-www-form-urlencoded',
8         'Authorization': 'Basic {clientHash}'
9     }
10 };
11 
12 axios(config)
13 .then(function (response) {
14     console.log(JSON.stringify(response.data));
15 })
16 .catch(function (error) {
17     console.log(error);
18 });

Example response:

1 {
2     "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c",
3     "token_type": "Bearer",
4     "expires_in": 3600
5 }