Skip to content

Authentication

The Ad Verification API uses OAuth2 password-grant authentication. You exchange a username and password for an access token, then send that token as a Bearer credential on every subsequent request.

Tokens are short-lived. The API also returns a refresh token, which you use to get a new access token when the current one expires — without having to re-send the username and password.

Exchanges a username and password for an access + refresh token.

The body is form-encoded (application/x-www-form-urlencoded), per the OAuth2 spec.

FieldTypeRequiredDescription
usernamestringYesAccount username.
passwordstringYesAccount password.
Log in
curl -X POST "https://{pinokio-api-url}/login" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=you@example.com" \
-d "password=<password>"

200 OK

{
"access_token": "eyJhbGciOiJIUzI1NiIs...",
"refresh_token": "eyJhbGciOiJIUzI1NiIs...",
"token_type": "bearer"
}
CodeMeaning
422Validation error — required field missing or wrong format.

Exchanges a refresh token for a fresh access token. Send this when your access token expires instead of re-running /login.

JSON object containing your refresh token. The exact key your deployment expects is provided by Pinokio — typically refresh_token.

Refresh request
{ "refresh_token": "<your-refresh-token>" }
Refresh access token
curl -X POST "https://{pinokio-api-url}/refresh_token" \
-H "Content-Type: application/json" \
-d '{ "refresh_token": "<your-refresh-token>" }'

200 OK — body contains a new access token (and possibly a new refresh token, depending on rotation policy).

CodeMeaning
422Validation error — refresh token missing or malformed.

Pass the access token as a Bearer credential on every /v1/project/* request:

Authenticated request
curl "https://{pinokio-api-url}/v1/project/list" \
-H "Authorization: Bearer <access_token>"

If you send an expired or invalid token, the client endpoints return 400 with Invalid session! Please try again. — that is your cue to refresh and retry.