API,  Authentication

API Authentication

The API of the ERP Core is a standardized set of API commands and endpoints present in all of its plug-ins.


In order to test the API, Swagger can be used and found at this link:


In order to use Swagger, you need to provide a valid token. Request one as shown below, click on Authorize (top-right of Swagger page) and enter the token (without the “Bearer “) in the text box, then click Authorize.

After this process, you can make API calls to protected resources from Swagger.


The system provides a separate Authentication server that is actually a plug-in that only handles authorization related requests, such as log-in and log-out. This server also has access to some other system resources but it is better to use it only for this purpose.

The server is identified by an IP and a PORT. The API endpoint format is as follows:


Most of the API endpoints require authentication. In order to call a protected API endpoint, you need to include the token in the HEADER of your call as follows:

HTTP Header Key Content
Authentication Bearer eyJhb … 4ZWc (truncated, please see below the full token)

The key is “Authentication”.

The content is the text “Bearer” plus a space then followed by the token provided by the server.



In order to obtain a valid JWT token, you need to make a POST request to the Authentication server.


This version of kernel doesn’t use any encryption for the password. Future releases will use encryption. Keep that in mind when implementing the authentication functionality.

If the credentials are valid, the server will respond with a JWT token that can be used for subsequent requests.

You only need to send either the userName or email in order to identify a user.


The authentication response will contain two tokens. An access token and a refresh token. The access token is used to access resources (API calls). The refresh token is used to acquire a new access token before its expiration in order to allow an uninterrupted user experience.

Please note that this communication is not encrypted, so the tokens can be stolen by an attacker. Implement your own SSL between the ERP infrastructure and the final user if the network is vulnerable to attacks.



The access token can be invalidated if a log-out request is made to the authentication server. In order to log-out a user, the refresh token must be transmitted. This is required in order to avoid accidental or fraudulent log-outs.


The server will respond with success or failure and a message:

{"messageText":"User Admin@LaNuciGrup logged out.",