Generate Auth Token

curl --request POST \
  --url https://loyalife-api.xoxoday.in/lbms-ingress/oauth/api/Auth/Token \
  --header 'Content-Type: application/json' \
  --data '
{
  "grant_type": "client_credentials",
  "client_id": "your-client-id",
  "client_secret": "your-client-secret"
}
'

{
  "results": {
    "token": "eyJhbGciOiJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW9yZSNobWFjLXNoYTUxMiIsInR5cCI6IkpXVCJ9...",
    "tokenExpiresOn": "2026-03-16T15:15:02Z"
  }
}

POST

lbms-ingress

oauth

api

Auth

Token

Generate Auth Token

curl --request POST \
  --url https://loyalife-api.xoxoday.in/lbms-ingress/oauth/api/Auth/Token \
  --header 'Content-Type: application/json' \
  --data '
{
  "grant_type": "client_credentials",
  "client_id": "your-client-id",
  "client_secret": "your-client-secret"
}
'

{
  "results": {
    "token": "eyJhbGciOiJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW9yZSNobWFjLXNoYTUxMiIsInR5cCI6IkpXVCJ9...",
    "tokenExpiresOn": "2026-03-16T15:15:02Z"
  }
}

Loyalife uses OAuth 2.0 client credentials flow for API authentication. This endpoint exchanges your client_id and client_secret for a JWT bearer token valid for 30 minutes (configurable). Every subsequent API call must include this token in the Authorization header — there is no session or cookie-based alternative. Cache the token and reuse it; never generate a new token per request.

Credentials are per-program. Find your client_id and client_secret in Loyalife Admin under Configurations → Program Settings → API. Regenerating credentials immediately invalidates all previously issued tokens.

Responses

200 — Success

Path	Type	Description
`results.token`	string	JWT bearer token. Use as `Authorization: bearer {token}` in all subsequent calls.
`results.tokenExpiresOn`	string (date-time)	ISO 8601 expiry timestamp. Refresh before this time.

401 — Invalid Credentials

Path	Type	Description
`results.IsSucessful`	boolean	`false`
`results.ErrorCode`	string	Error code from the platform
`results.ExceptionMessage`	string	Human-readable reason — check this field for details

Error Codes

Code	ExceptionMessage	Cause
`000`	Success	Token generated successfully
`401` (HTTP)	Unauthorized	Invalid `client_id` or `client_secret`
`999`	Bad request	Missing or malformed fields in the request payload

Body

application/json

grant_type

enum<string>

required

OAuth 2.0 grant type

Available options:

client_credentials

Example:

"client_credentials"

client_id

string

required

Your OAuth client ID from Loyalife Admin → Program Configuration → API

Example:

"your-client-id"

client_secret

string

required

Your OAuth client secret. Never expose in client-side code.

Example:

"your-client-secret"

scope

string

Optional. Binds token to a specific member. JSON-encoded array: ["LOGIN","{RelationReference}"]. Omit for a general-purpose program token.

Example:

"[\"LOGIN\",\"jane.doe@example.com\"]"

Response

Token issued

results

object

Show child attributes

Idempotency Create Profile

⌘I

​Responses

​Error Codes

Body

Response

Responses

Error Codes