🔌Authentication
Introduction
Authentication for the Gangmates API is based on bearer tokens. Each company is issued a unique API token that must be included in the header of each request to authenticate and authorize access to the API endpoints.
Obtaining an API Token
To obtain an API token, contact your administrator. The token will be provided and must be kept secure.
Using the API Token
Include the API token in the Authorization
header of your HTTP requests. The format should be as follows:
Authorization: Bearer {your_api_token}
Example Request
GET /api/paystubs HTTP/1.1
Host: stage.gangmates.com
Authorization: Bearer your_api_token
Managing API Tokens
API tokens can be managed through the Gangmates UI. Each company can generate, regenerate, and invalidate their API token.
Generating a New Token
Log in to the Gangmates UI.
Navigate to the "Security" tab then select "API" from the drop down.
Click the "Generate Token" button.
The new token will be generated. Copy and store it securely.
Invalidating a Token
Log in to the Gangmates UI.
Navigate to the "Security" tab then select "API" from the drop down.
Click the "Invalidate Token" button.
The token will be invalidated, and any further requests using that token will be unauthorized.
Token lifecycle
Sliding expiry: tokens expire 30 days from last use. Every successful call resets the expiry to 30 days from "now".
Inactivity revocation: tokens unused for 30 days are revoked and will return
401 Token expired
.Scopes: tokens may carry scopes that map to route names. If a route isn’t allowed by your scopes, you’ll receive
403
.Special scope:
all
grants access to all scoped endpoints.
Tip: Rotate and store tokens securely. Revoke compromised tokens from Security → API in the UI.
Error Handling
If an invalid or missing token is provided, the following response will be returned:
{
"error": "Unauthorized"
}
Ensure that your token is correctly included in the Authorization
header of each request.
Contact
For any questions or support, please contact our support team at [email protected].
Last updated