API Authentication

MARTA provides RESTful services structured by access levels and predefined privileges.

Access is managed through a two-step authentication system: the initial authentication occurs via an api-key issued directly by MARTA to each authorized third-party application. Once authenticated, a signed and validated JWT (JSON Web Token) is issued, which must be included in the headers of all subsequent requests.

This implementation supports granular permission control via scopes and roles.

This approach enhances security and traceability, reduces the need for repeated authentication, and allows for more efficient session management.
‍

Explore the different types of APIs provided by MARTA.
‍

Authentication

Once you've received your api-key, you can authenticate access levels via the Auth APIs.

Auth APIs manage authentication to ensure access to all other types of APIs by providing an authorization token. The main endpoints are POST /auth and POST /auth/refreshToken.
‍

To specify the type of access being requested, include the appropriate scope in your POST /auth request from the following options:

          • "terminal" – access to Terminal APIs,

          • "backoffice" – access to Backoffice APIs,

          • "customer" – access to Customer APIs (Pre and Post Login),

          • "terminal-backoffice" – access to both Terminal and Backoffice APIs,

          • "customersynchro" – access to parts of the Customer APIs that do not require user-level authentication,

          • "product" – access to external Product management APIs,

           • "prize" – access to external Prize and Reward Catalog APIs.
‍

The response to the POST /auth request includes two tokens: a Bearer Token, to be used in the header of future API requests, valid for 15 minutes, and a Refresh Token, to be used within 60 minutes in the POST /auth/refreshToken call to renew the authorization token if expired.
‍

For more technical details, explore the Authentication Tutorial.