Skip to main content

Overview

The DADDO API uses JWT (JSON Web Token) based authentication. After successful login, you receive a token that must be included in subsequent API requests.

Token Storage

Tokens can be stored in either:
  • localStorage - For persistent sessions (“Remember Me”)
  • sessionStorage - For temporary sessions
The choice depends on the rememberMe parameter during login.

Automatic Token Injection

Tokens are automatically included in API requests via an Axios interceptor: 
api.interceptors.request.use((config) => {
  const token = localStorage.getItem("token") || 
                sessionStorage.getItem("token");
  
  if (token) {
    config.headers.Authorization = `Bearer ${token}`;
  }
  
  return config;
});

How to Authenticate

Step 1: Register or Login

First, create an account or login to receive an authentication token. 
curl -X POST https://api.yourdomain.com/user \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "password": "securepassword",
    "name": "John Doe"
  }'

Step 2: Store the Token

Successful authentication returns: 
{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "userdata": {
    "id": "123",
    "email": "[email protected]",
    "name": "John Doe"
  }
}
Store the token for subsequent requests.

Step 3: Include Token in Requests

Include the token in the Authorization header: 
curl -X GET https://api.yourdomain.com/products \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

Token Expiration

Automatic Logout on Expiration

When a token expires, the API returns a 401 Unauthorized response. The system automatically:
  1. Detects the 401 status via response interceptor
  2. Checks if a token exists in storage
  3. If token exists (meaning it expired), clears all auth data:
    • Removes token from localStorage
    • Removes token from sessionStorage
    • Removes user data from storage
    • Dispatches logout action to Redux store
api.interceptors.response.use(
  (response) => response,
  (error) => {
    if (error.response?.status === 401) {
      const token = localStorage.getItem("token") || 
                    sessionStorage.getItem("token");
      
      if (token) {
        // Token expired - clean up
        store.dispatch({ type: LOGOUT });
        localStorage.removeItem("token");
        sessionStorage.removeItem("token");
        localStorage.removeItem("user");
        sessionStorage.removeItem("user");
      }
    }
    return Promise.reject(error);
  }
);

Handling Expired Tokens

Your application should:
  1. Listen for logout actions
  2. Redirect users to the login page
  3. Prompt for re-authentication

Token Refresh

Currently, the API does not support token refresh. Users must re-authenticate when tokens expire.

Security Best Practices

  • Never expose tokens in URLs or logs
  • Use HTTPS for all API requests
  • Clear tokens on logout
  • Implement automatic logout on 401 responses
  • Clear all stored authentication data
  • Redirect to login page
  • Use sessionStorage for temporary sessions
  • Use localStorage only when “Remember Me” is enabled
  • Never store tokens in cookies without HttpOnly flag

Authentication Errors

401 Unauthorized

Returned when:
  • No token is provided
  • Token is invalid or malformed
  • Token has expired
Solution: Re-authenticate by logging in again.

403 Forbidden

Returned when:
  • Token is valid but user lacks permission
  • Resource access is restricted
Solution: Contact administrator for permission.

Example: Full Authentication Flow

// 1. Login
const login = async (email, password, rememberMe) => {
  try {
    const response = await api.post('/user/login', {
      email,
      password
    });
    
    const { token, userdata } = response.data;
    
    // 2. Store token based on rememberMe preference
    const storage = rememberMe ? localStorage : sessionStorage;
    storage.setItem('token', token);
    storage.setItem('user', JSON.stringify(userdata));
    
    return { success: true, user: userdata };
  } catch (error) {
    return { success: false, error: error.message };
  }
};

// 3. Make authenticated request
const fetchProducts = async () => {
  try {
    // Token automatically included by interceptor
    const response = await api.get('/products');
    return response.data;
  } catch (error) {
    if (error.response?.status === 401) {
      // Token expired - user will be logged out automatically
      console.log('Session expired, please login again');
    }
    throw error;
  }
};

// 4. Logout
const logout = () => {
  localStorage.removeItem('token');
  localStorage.removeItem('user');
  sessionStorage.removeItem('token');
  sessionStorage.removeItem('user');
};

Next Steps

Auth Endpoints

Explore authentication endpoints

Products API

Start working with products

Build docs developers (and LLMs) love

Get started for freeTalk to us