Obtaining an API Token

To obtain your initial token you need to log into the API using your Violet username and password. This should only need to be done once as you will receive a refresh token that enables you to obtain new API tokens without logging in.

curl -X POST https://sandbox-api.violet.io/v1/login \
-H "X-Violet-App-Id: your-app-id-here" \
-H "X-Violet-App-Secret: your-app-secret-here" \
-H "Content-type: application/json" \
-d '{"username": "your-username-here", "password": "your-password-here"}'
  "id": 9999,
  "first_name": "Ultra",
  "last_name": "Violet",
  "email": "[email protected]",
  "type": "DEVELOPER",
  "verified": true,
  "status": "ACTIVE",
  "date_created": "2016-11-01T22:17:39+0000",
  "date_last_modified": "2016-11-01T22:17:39+0000",
  "roles": [
      "name": "ROLE_DEVELOPER",
      "permissions": []
  "tos_accepted": true,
  "payment_configured": false,
  "token": "token-here",
  "refresh_token": "refresh-token-here"

Try it in Postman Now!


Remember to safeguard any sensitive API Parameters and Data used for test. Avoid making such parameters publicly available in a Public Collection visible to anyone.

Run in PostmanRun in Postman


The tokentoken - A JSON Web Token granted by login for authenticated API Access for certain timespan. property is the token used to make authenticated requests against the API. The refresh_tokenrefresh_token - A JSON Web Token granted with an extended lifespan used to refresh the authentication token. property is the token used to obtain a new API token.

Decoding a Token

A JWTJWT - JSON Web Token consists of three parts, separated by a period. These parts are the header, the payload, and the signature. The payload part contains a JSON object that can be obtained by Base64 decoding it. Learn more about JWT’s and the parts they consist of here.

Token Lifespan

By default an API token will have a lifespan of 5 minutes. If you decode the token within your application you will be able to access the ‘exp’ property which provides a timestamp that represents when the token will expire. Once expired the token will no longer be usable for performing API requests. At this point you should refresh your API token.