Skip to content

User Login


POST /oauth/token

If an application needs to interact with the API as an individual user (such as a customer or merchant), a user authorization token will be required. This endpoint accepts an oath request that will return the required token.

The response contains a Bearer token that should be provided in the Authorization header of subsequent requests to the api. It may also issue a refresh token that can be used to obtain a new access token at a later point, removing the need for the user to re-authenticate.

When the token expires, subsequent requests using that token will generate a HTTP 401 response. At this point there are two options: either use the latest refresh token to issue a refresh request, or repeat the login process in order to obtain a valid token. Note that the latter option will generally require performing a fresh client login.


This request requires a valid client access token to be provided as the Authorization header.

Data Parameters

Note: The username and password in most cases are provided by huggg, or should be input by the user themselves. Please contact us if you would like to request access.

Key Value Description
grant_type password REQUIRED
username String REQUIRED the username for the account.
password String REQUIRED the password for the merchant account.


HTTP POST /oauth/token
Authorization: Bearer abc123
Content-Type: application/json

    "grant_type": "password",
    "username": "abc",
    "password": "xyz"



HTTP/1.1 200 OK

    "token_type" : "Bearer",
    "expires_in" : 3600,
    "access_token" : "nRC9jT/Q5E+SkeF4RqmJ6A==",
    "refresh_token" : "9s64sIpOsE20sJQQKIEVfw=="
HTTP/1.1 401 Unauthorized

    "error": "Authentication failed."

Not all clients are permitted to log in as users, or have permission only to log in as a subset of users. If the client token is for a client that does not have permission to log in as this user:

HTTP/1.1 403 Forbidden

    "error": "Forbidden."