Authentication

The AS2Expert API uses Bearer token authentication to provide secure access to its resources. To authenticate your requests, include your API token in the Authorization header of every HTTP request. This mechanism uniquely identifies your account and enforces the corresponding permissions.

HEADER Authorization: Bearer {token}

Authentication header

Every API request must include this header. The Bearer prefix identifies the authentication type and must be followed by a space and your access token.

HTTP Header

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Important: Keep your API token in a secure environment. Avoid embedding it in client-side code or public repositories. Use environment variables or a secrets manager. For security reasons, tokens are stored hashed with SHA256.

Get a token

Public signup no longer generates an API token automatically. Registration creates your user and your initial station, but token enablement must happen later from the authenticated environment or through the appropriate administrative workflow.

This separation avoids exposing sensitive credentials during public onboarding and allows better control over scopes assigned to each integration.

POST /auth/token (coming soon)

Reserved endpoint for future token management. The current API already validates read, write, and admin scopes on each token, but provisioning is still handled outside this public documentation.

Free onboarding flow

The public Free flow and the public API token lifecycle are intentionally separated:

Register a Free account on the public site.
The onboarding flow creates your user and your initial station for the current domain.
No API token is issued during public signup.
The token is enabled later from the authenticated environment or from the administrative workflow.

Station visibility is domain-scoped. The same token can only see the stations, partners, certificates, and messages exposed by the domain where the API is published, such as free.as2expert.com.

Scopes

Scope	Meaning
read	Allows listing, detail retrieval, and metrics reading
write	Allows creating entities, sending messages, and configuring webhooks
admin	Allows write operations on endpoints that accept write or admin

Authentication examples

curl

curl -X POST "https://free.as2expert.com/api/v1/stations"   -H "Authorization: Bearer $API_TOKEN"   -H "Content-Type: application/json"   -d '{}'

Python

import requests

API_TOKEN = "your_token_here"
headers = {
    "Authorization": f"Bearer {API_TOKEN}",
    "Content-Type": "application/json"
}

# Example authenticated request
response = requests.post(
    "https://free.as2expert.com/api/v1/stations",
    headers=headers,
    json={}
)

JavaScript

const response = await fetch("https://free.as2expert.com/api/v1/stations", {
  method: "POST",
  headers: {
    "Authorization": "Bearer YOUR_TOKEN",
    "Content-Type": "application/json"
  },
  body: JSON.stringify({})
});

Authentication errors

If the token is invalid or expired, the API will return:

{
  "status": "error",
  "msg": "Invalid token"
}