Authentication
Kard API
The Kard API supports authentication via OAuth2.0’s client credentials. Issuer client will be provided
client_id and client_secret by Kard.
Kard Authentication API v2
Use the new Kard Authentication API endpoint. Each client will have their own dedicated subdomain, which will be provided by Kard.
The API follows OAuth2.0 client credentials flow and requires:
- Authorization header: Basic authentication with base64 encoded
{client_id}:{client_secret} - Content-Type header: Must be set to
application/x-www-form-urlencoded - Request body: Form data with
grant_type=client_credentials
Replace {your-client-subdomain} with the subdomain provided by Kard for your organization.
The returned access token must be used in the Authorization header as a bearer token
in subsequent requests.
Response Examples
For detailed response examples with different status codes, see the Authentication API Reference.
The API returns standard HTTP status codes:
- 200: Successful authentication with access token
- 400: Bad request (missing Authorization header or invalid grant_type)
- 401: Unauthorized (invalid credentials)
- 404: Not found (client not found)
- 500: Internal server error
Direct Cognito (Deprecated)
DEPRECATED: The direct Cognito authentication method is deprecated and will be discontinued soon. Please migrate to the new Authentication API v2 above.
GET Session Tokenrequest in root directory- baseURL:
https://test-rewards-api.auth.us-east-1.amazoncognito.com {clientHash}: base64 encoded copy of{client_id}:{client_secret}, provided in the postman_environment.json.
Example response: