Authentication
The Ad Verification API uses OAuth2 password-grant authentication. You exchange a username and password for an access token, then send that token as a Bearer credential on every subsequent request.
Tokens are short-lived. The API also returns a refresh token, which you use to get a new access token when the current one expires — without having to re-send the username and password.
POST /login
Section titled “POST /login”Exchanges a username and password for an access + refresh token.
The body is form-encoded (application/x-www-form-urlencoded), per the OAuth2 spec.
Request body
Section titled “Request body”| Field | Type | Required | Description |
|---|---|---|---|
username | string | Yes | Account username. |
password | string | Yes | Account password. |
Example
Section titled “Example”curl -X POST "https://{pinokio-api-url}/login" \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "username=you@example.com" \ -d "password=<password>"Response
Section titled “Response”200 OK
{ "access_token": "eyJhbGciOiJIUzI1NiIs...", "refresh_token": "eyJhbGciOiJIUzI1NiIs...", "token_type": "bearer"}Errors
Section titled “Errors”| Code | Meaning |
|---|---|
422 | Validation error — required field missing or wrong format. |
POST /refresh_token
Section titled “POST /refresh_token”Exchanges a refresh token for a fresh access token. Send this when your access token expires instead of re-running /login.
Request body
Section titled “Request body”JSON object containing your refresh token. The exact key your deployment expects is provided by Pinokio — typically refresh_token.
{ "refresh_token": "<your-refresh-token>" }Example
Section titled “Example”curl -X POST "https://{pinokio-api-url}/refresh_token" \ -H "Content-Type: application/json" \ -d '{ "refresh_token": "<your-refresh-token>" }'Response
Section titled “Response”200 OK — body contains a new access token (and possibly a new refresh token, depending on rotation policy).
Errors
Section titled “Errors”| Code | Meaning |
|---|---|
422 | Validation error — refresh token missing or malformed. |
Using the access token
Section titled “Using the access token”Pass the access token as a Bearer credential on every /v1/project/* request:
curl "https://{pinokio-api-url}/v1/project/list" \ -H "Authorization: Bearer <access_token>"If you send an expired or invalid token, the client endpoints return 400 with Invalid session! Please try again. — that is your cue to refresh and retry.