# Authentication

The Creditsafe API uses a secure authentication mechanism to ensure that only authorized users can access API resources. Understanding how authentication works is essential for successfully integrating with the API.

## Authentication Method

Creditsafe Connect API uses **JWT (JSON Web Token)** based authentication. This token-based approach provides a secure and efficient way to authenticate API requests.

### How It Works

1. **Obtain Credentials**
  - You will be provided with a username and password by Creditsafe
  - These credentials are unique to your account and should be kept secure
2. **Request an Access Token**
  - Use your username and password to authenticate and receive a JWT token
  - The authentication endpoint returns a token that must be included in all subsequent API requests
  - This token serves as proof of your identity and authorization
3. **Include Token in API Requests**
  - Add the JWT token to the `Authorization` header of your HTTP requests
  - Format: `Authorization: Bearer <your_jwt_token>`
  - The token must be included in every API call to authenticate your request


### Token Expiry

| Property | Value |
|  --- | --- |
| **Token Lifespan** | 1 hour |
| **Action Required** | Request a new token before expiry |
| **Best Practice** | Implement automatic token refresh in your application |


**Important:** JWT tokens expire after **one hour**. To maintain uninterrupted connectivity:

- Monitor token expiry time
- Request a new token before the current one expires
- Update your application to use the new token for subsequent requests


Failure to refresh the token will result in `401 Unauthorized` errors when making API calls.

## Rate Limiting

Authentication requests are subject to rate limiting to prevent abuse and ensure service availability. For detailed information about rate limits and how they apply to authentication and other API endpoints, please refer to the [Rate Limiting](/connect-apis-catalog/information/ratelimiting) documentation.

## Security Best Practices

- **Never share your credentials** with unauthorized parties
- **Store credentials securely** using environment variables or secure credential management systems
- **Implement token refresh logic** to handle expiry gracefully
- **Use HTTPS** for all API communications
- **Rotate credentials regularly** as part of your security policies
- **Monitor authentication failures** to detect potential security issues


## Example Authentication Flow


```curl
1. POST /authenticate
   Body: { "username": "your_username", "password": "your_password" }
   
2. Response: { "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." }
   
3. Subsequent API Request:
   GET /companies/{connectId}
   Header: Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
```

## Troubleshooting

| Issue | Solution |
|  --- | --- |
| **401 Unauthorized** | Token may be expired or invalid - request a new token |
| **403 Forbidden** | Your account may not have permissions for the requested resource |
| **429 Too Many Requests** | You have exceeded rate limits - refer to [Rate Limiting](/connect-apis-catalog/information/ratelimiting) |


For additional support, please refer to the [Providing Feedback](/connect-apis-catalog/information/feedback) page.