The Kitchenhub Auth API enables secure access to all other API endpoints using OAuth2-based token authentication. Tokens have a limited lifespan and must be refreshed periodically using the provided refresh_token.

🔑 Authentication Flow

⚠️
Security Notice: Your client_secret must be securely stored and never shared with third parties. If you suspect it has been compromised, notify us immediately so we can revoke and regenerate your credentials.

To access Kitchenhub APIs, you need to:

Request an access token using your client_id and client_secret.
Use the access_token in the Authorization header of each API request.
Refresh the access_token when it expires using the refresh_token.

📥 Generate Access Token

Endpoint:
POST /v2/auth/token

Request Body:

{
  "client_id": "your_client_id",
  "client_secret": "your_client_secret"
}

Response:

{
  "access_token": "your_access_token",
  "refresh_token": "your_refresh_token",
  "access_token_expire": 1800,      // in minutes
  "refresh_token_expire": 3600    // in minutes
}

📤 Use Access Token

To authorize API requests, include the token in the request header:

Authorization: Bearer your_access_token

Example:

GET /v2/orders
Host: api.trykitchenhub.com
Authorization: Bearer eyJhbGciOi...

🔁 Refresh Access Token

Endpoint:
POST /v2/auth/token/refresh

Use this endpoint to refresh your access_token using a valid refresh_token.

Request Body:

{
  "refresh_token": "your_refresh_token"
}

Response:

{
  "access_token": "new_access_token",
  "refresh_token": "new_refresh_token",
  "access_token_expire": 1800,
  "refresh_token_expire": 3600
}

🔄
You must store the new refresh_token after each refresh, as the old one becomes invalid.

✅ Validate Token

Endpoint:
GET /v2/auth/token/validate

Use this to check if a token is still valid and active.

Authorization Header: Bearer your_token

Response:

{
    "message": "Token is valid"
}

🧪 Test Credentials

Before beginning full integration, we recommend testing your authentication flow in the staging environment to verify:

Token creation works correctly
Access token authorizes API requests
Token refresh is implemented
Token expiration is handled gracefully