Authentication Types#
Techrar API uses two different authentication types depending on whether
the request is coming from a merchant portal integration or a customer application.| Token Type | Purpose | Example Usage |
|---|
| Merchant Access Token | Portal & admin endpoints | Manage App Config, Tags, Plans, Orders |
| Customer Access Token | Customer-facing endpoints | Checkout, Subscription, Orders |
Customer Access Token#
For customer-facing endpoints, authenticate end customers separately:1.
Call the customer authentication endpoint
2.
Receive access_token and refresh_token
4.
Use access_token for customer API calls
5.
Refresh when expired using refresh_token
Example with Customer Token#
For customer-specific endpoints:
Merchant Access Token#
To access the Techrar API, you must authenticate every request using an API token. This token is unique to your merchant account and can be generated and managed from the Techrar portal with specific permissions and expiry settings.Overview#
All API requests require authentication via an API token in the Authorization header using the Bearer scheme.We will provide you with your Organization ID and App ID when your Sales Channel is enabled.
Generate a Merchant Access API Token#
After logging in to your Techrar account:1.
Navigate to API Tokens in the portal settings
3.
Provide a descriptive name (e.g., "Mobile App Integration")
4.
Select the required permissions (scopes)
5.
Optionally set an expiry date
6.
Save securely - you cannot view it again after creation
Note: Each token is associated with specific permissions and can have an expiry date. Only allowed endpoints will be accessible with that token.
Use the API Token in Requests#
Example HTTP Request#
API Token Management#
API Token Permissions#
can_retrieve_app_config – Access channel configuration
can_update_app_config – Modify channel settings
can_read_order – View orders
can_write_order – Create or update orders
Tip: Only grant the permissions your integration needs.
Token Expiry#
No Expiry: Token remains active until manually revoked
Custom Expiry: Set a specific expiration date
Expired tokens return authentication errors and must be regenerated
Token Status#
Active: Valid and can be used
Inactive: Disabled (can be reactivated)
Expired: Past expiry date (cannot be used)
Rate Limits#
API tokens have rate limits to ensure platform stability. Exceeding limits results in 429 Too Many Requests responses.Custom Rate Limits#
Security Best Practices#
Keep tokens secret – Never expose in public repositories or client-side code
Use descriptive names – Clearly identify token purpose
Set expiry dates – Enhanced security for temporary integrations
Regenerate compromised tokens immediately
Use HTTPS – Always make requests over HTTPS
Restrict permissions – Only enable required permissions
Monitor token usage – Review regularly for suspicious activity
Manage inactive tokens – Disable or delete unused tokens
Troubleshooting#
401 Unauthorized#
Invalid or missing token. Verify format, check expiry, ensure Bearer scheme is used.403 Forbidden#
Insufficient permissions. Check token permissions in portal or contact support.429 Too Many Requests#
Rate limit exceeded. Check X-RateLimit-Reset header, implement backoff, or contact support.