Sign up and verify
POST /v1/signup creates an account and emails a six-digit verification code. No tokens are issued yet.
Response
POST /v1/login before verifying, the API returns 403 with data.requiresVerification: true and re-sends the code:
Response
Log in
POST /v1/login authenticates the user and, on success, sets the session cookies. The JSON body confirms success but contains no tokens.
Response
| Cookie | httpOnly | Holds |
|---|---|---|
token | yes | The access token (JWT). |
refreshToken | yes | The refresh token, rotated on every refresh. |
vm_session | no | A non-sensitive hint so the frontend can tell a session exists. |
Call the API
For browser clients, thetoken cookie is sent automatically. For server-to-server use, read the value of the token cookie and pass it as a Bearer credential on every request:
Refresh the session
The access token is short-lived (15 minutes). The refresh token lasts 30 days. When the access token expires, callPOST /v1/refresh-token. The refresh token is read from the refreshToken cookie, or you can send it in the body. A new access token and a rotated refresh token are set as cookies — they are not returned in the body.
Response
Sign out
POST /v1/logout invalidates the refresh session, blacklists the current access token in Redis for the rest of its lifetime, and clears all auth cookies.
Response
Sandbox vs. production
Widget integrations use two widget environments —sandbox and live — each with its own publishable key prefix (test_pk_ vs live_pk_) and widget IDs. See SDK environments for how environment, keys, and widget IDs must align.
All API requests use https://api.vouchmark.com/v1 — the same base URL for staging and production. Sandbox vs live is determined by your credentials, not by a different hostname.