API Authentication
A web client integration must include an authentication token as part of the HTTP header for all but a few anonymous API methods. Use the provided credentials when requesting an authentication token via the API method 1.45 Issue Token.
The response will include the JWT authentication token under the return parameter "token" which you include in the HTTP header when calling other API methods via the custom header field "X-Auth-Token" or "Authorization".
Authentication means one of the following: A security token in the form of JWT to be present in the custom authentication header. To get an assertion, call the "Issue Token" or the "Issue Oauth Token" method. A request signed by a non-expired certificate that belongs to active and not-locked user.
Please note, that authentication tokens have a limited validity period - their expiration time (UTC) is communicated to you via the return parameter "validUntil". The token can be used until the expiration time and should be replaced by a new one shortly before the expiration. By persisting the token alongside the expiration time, it is possible to call multiple API methods with the same token until it expires. It is recommended that tokens are reused instead of requested for each API method call in order to avoid a perception of a performance issue in web applications.
Although caching of the authentication token can improve performance it is important to check for potential caching related rejections of requests. This may result from expired tokens being served from your cache for requests, particularly during initial sprints focused on integration.