# Authentication **Credential Generation** The team will generate and provide credentials (username and password). This step will be performed only once. **Token Generation** Using the credentials obtained in the previous step, the user will generate a token through a service provided by the team for this purpose. This token will have a validity period, which is indicated in the service response. Within this period, the token can be used as many times as needed to invoke the services. ## Authentication endpoint - [POST /integrator/authenticate](https://onapi.redocly.app/apis/authentication/authentication.md): Authenticates a user using their credentials and returns an access token along with a refresh token. This endpoint is typically used as the first step in the authentication flow. It verifies the user's credentials (e.g., username and password) and, if valid, issues tokens that can be used to access protected resources. The returned access token should be included in the header of subsequent API requests using the Bearer scheme. - The access token is typically short-lived and used to authorize API requests. - The refresh token is long-lived and can be used to obtain a new access token without re-authenticating. - Credentials should be transmitted over HTTPS to ensure security. - Refresh tokens must be securely stored and never exposed to third parties. - Multiple failed login attempts may result in temporary blocking or rate limiting. ## Refresh Token endpoint - [POST /integrator/refresh-token](https://onapi.redocly.app/apis/authentication/refresh-token.md): Exchanges a valid refresh token for a new access token (and optionally a new refresh token). This endpoint is used to keep the user authenticated without requiring them to log in again. It should be called before the current access token expires. The client must send a valid refresh token, typically received from the login or token exchange endpoint. If the refresh token is valid and not expired or revoked, the response will contain a new access token. Depending on server configuration, a new refresh token may also be issued. - Refresh tokens must be kept secure and should not be shared or exposed. - Reuse of refresh tokens after logout or expiration will result in an error. - Clients should always update their stored refresh token if a new one is provided in the response.