The Real Real

Obtaining API Credentials

You can generate or regenerate your client ID and client secret directly through the Vendor Portal. To access these credentials, ensure your user account is properly set up with the appropriate permissions in the Vendor Portal. Once logged in, you can manage your API credentials through the portal's interface.

This API uses OAuth 2.0 with Bearer tokens for authentication. All API requests must include a valid token in the Authorization header.

Access Tokens

To authenticate API requests, you need to obtain an access token using your client credentials. This value will expire after 1 hour (3600 seconds) and will need to be regenerated. These examples are created using curl, but feel free to use your preferred platform or client.

Your application should cache the token until it expires and request a new one before making additional API calls after expiration. You can use your preferred pattern to maintain token freshness.

Example request to get access token

POST https://vendor.trr-apps.com/v1/bearer-token
Content-Type: application/json
Accept: application/json

{
  "client_id": "YOUR_CLIENT_ID",
  "client_secret": "YOUR_CLIENT_SECRET"
}

Example response

{
  "access_token": "eyJhbGci...",
  "token_type": "Bearer",
  "expires_in": 3600
}

Basic authentication

Include the access token in the Authorization header of all API requests:

Example request with bearer token

GET /v1/vendor
Authorization: Bearer <insert token here>

Token Management

  • Tokens are valid for fixed amount of time (1 hour/3600 seconds)
  • You should cache the token until it expires to avoid unnecessary token requests
  • Implement token refresh logic to obtain a new token before the current one expires
  • Store tokens securely and never expose them in client-side code

Security Best Practices

  • Keep your client credentials secure
  • Use HTTPS for all API requests
  • Implement proper error handling for authentication failures (detailed below)
  • Rotate client secrets periodically

Authentication Failures

Proper authentication error handling is critical for maintaining a secure and reliable integration. Here's how to implement it effectively:

Detecting Authentication Failures:

  • Authentication failures return HTTP 401 Unauthorized or 403 Forbidden status codes
  • Always check HTTP status codes before processing responses
  • Monitor for authentication-related error messages in the response body

Example error response

HTTP/1.1 401 Unauthorized

{
  "message": "Unauthorized"
}

Best Practices

  • Implement token refresh logic
  • Rate-limit retries: Avoid infinite retry loops by limiting retry attempts
  • Cache token expiration: Track token expiration time to proactively refresh

Security Considerations

  • Never store access tokens in client-side code or public repositories
  • Log authentication failures to detect potential security incidents
  • Implement exponential backoff for repeated authentication failures
  • Monitor token usage patterns to detect unauthorized access