Skip to main content
This reference provides precise specifications for authenticating API requests. All requests to the Quivo API require authentication using a session token. This ensures that only authorized users can access your account data and perform operations on your behalf. For step-by-step instructions, see the Make your first API call tutorial. The authentication process consists of the following steps:
  1. Obtaining a session token: Exchange your API credentials—API key, username, and password—for a temporary session token via the POST /login endpoint.
  2. Using the token: Include the session token in the Authorization header of all subsequent API requests.
Session tokens expire after one hour. When they expire, refresh them. See the Token expiration section below for handling token refresh automatically.

Prerequisites

Before you start, make sure you have the following:
  • Static API Key: Your static API key provided by Quivo. You can retrieve it from the Quivo Dashboard
  • Username: Your Quivo account username
  • Password: Your Quivo account password
All API examples in this reference use ${BASE_URL} as a placeholder. Replace it with the correct base URL configured for the correct environment. For more information see Environments page.

Obtain a session token

Exchange your credentials for a session token via the POST /login endpoint. Replace the placeholders with your actual data.
Use this request to exchange your credentials for a session token:
curl -X POST "${BASE_URL}/login" \
  -H "Content-Type: application/json" \
  -H "X-Api-Key: <YOUR_STATIC_API_KEY>" \
  -d '{
    "username": "<YOUR_USERNAME>",
    "password": "<YOUR_PASSWORD>"
  }'

Use the token in requests

Include the token in the Authorization header of all API requests. You must also include your API key in the X-Api-Key header. The following example shows how to make an authenticated request using the GET /orders endpoint. Replace the placeholders with your actual data.
Use this request example to make an authenticated API call with your session token:
curl -X GET "${BASE_URL}/orders" \
  -H "X-Api-Key: <YOUR_STATIC_API_KEY>" \
  -H "Authorization: <YOUR_SESSION_TOKEN>"

Token expiration

Session tokens expire after 1 hour. When a token expires, you receive a 401 Unauthorized error response.

Handling token expiration

When you receive a 401 error, your integration should automatically:
  1. Retry authentication: Call the POST /login endpoint again to obtain a new token
  2. Retry the original request: Use the new token to retry the request that failed
Implement automatic token refresh in your integration to handle expiration seamlessly. Monitor API responses for 401 Unauthorized errors and trigger re-authentication as needed.

Where to go next

Now that you understand authentication, continue with these guides:

Create a Fulfillment Order

Start the fulfillment process by creating orders for your customers.

Send Inventory

Send your products to Quivo warehouses to make them available for fulfillment.