The Vouchmark API authenticates requests with a short-lived JWT access token. You exchange your account credentials (or a Google ID token) for an access token plus a refresh token, then attach the access token to every API call. The same credentials power the dashboard at vouchmark.com.Documentation Index
Fetch the complete documentation index at: https://docs.vouchmark.com/llms.txt
Use this file to discover all available pages before exploring further.
Get an access token
POST /v1/login returns an access token in the response body and sets a refresh-token cookie. For server-to-server use, ignore the cookie and store the accessToken value.
Response
Call the API
Pass the token as a Bearer credential on every request:x-auth-token: <token> if you can’t set Authorization. Cookie-based auth (token cookie) works for browser clients but is not recommended for server integrations.
Refresh the token
Access tokens are short-lived (15 minutes). When the API responds with401 TOKEN_EXPIRED, call POST /v1/refresh-token using the refresh token you received at login. You’ll get a fresh access token and a rotated refresh token.
Sign out
CallPOST /v1/logout with the access token to revoke it server-side. The token is blacklisted in Redis for the remainder of its lifetime, so even an unexpired copy is rejected.
Sandbox vs. production
There’s currently a single environment —https://api.vouchmark.com. A sandbox with isolated test data is on the roadmap; until then, use a non-production company record for integration testing.
Errors
| Status | Code | Meaning |
|---|---|---|
401 | NO_TOKEN | No Authorization header. |
401 | TOKEN_EXPIRED | Refresh and retry. |
401 | TOKEN_REVOKED | Token was blacklisted (logout, password change). |
429 | — | Rate limit exceeded. See Rate limits. |