> ## Documentation Index
> Fetch the complete documentation index at: https://help-loyalife.xoxoday.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Generate Auth Token
> Exchange your client credentials for a JWT bearer token.
Loyalife uses OAuth 2.0 client credentials flow for API authentication. This endpoint exchanges your `client_id` and `client_secret` for a JWT bearer token valid for **30 minutes** (configurable). Every subsequent API call must include this token in the `Authorization` header — there is no session or cookie-based alternative. Cache the token and reuse it; never generate a new token per request.
Credentials are **per-program**. Find your `client_id` and `client_secret` in Loyalife Admin under **Configurations → Program Settings → API**. Regenerating credentials immediately invalidates all previously issued tokens.
## Responses
| Path | Type | Description |
| ------------------------ | ------------------ | --------------------------------------------------------------------------------- |
| `results.token` | string | JWT bearer token. Use as `Authorization: bearer {token}` in all subsequent calls. |
| `results.tokenExpiresOn` | string (date-time) | ISO 8601 expiry timestamp. Refresh before this time. |
| Path | Type | Description |
| -------------------------- | ------- | ---------------------------------------------------- |
| `results.IsSucessful` | boolean | `false` |
| `results.ErrorCode` | string | Error code from the platform |
| `results.ExceptionMessage` | string | Human-readable reason — check this field for details |
***
## Error Codes
| Code | ExceptionMessage | Cause |
| -------------- | ---------------- | -------------------------------------------------- |
| `000` | Success | Token generated successfully |
| `401` *(HTTP)* | Unauthorized | Invalid `client_id` or `client_secret` |
| `999` | Bad request | Missing or malformed fields in the request payload |
## OpenAPI
````yaml POST /lbms-ingress/oauth/api/Auth/Token
openapi: 3.1.0
info:
title: Loyalife LBMS API
description: >-
REST API for Loyalife's Loyalty Management System. Covers member management,
OTP authentication, loyalty transactions, and points redemption.
version: 1.0.0
contact:
name: Xoxoday Support
email: support@xoxoday.com
servers:
- url: https://loyalife-api.xoxoday.in
description: Production
security:
- bearerAuth: []
paths:
/lbms-ingress/oauth/api/Auth/Token:
post:
tags:
- Authentication
summary: Generate Auth Token
description: >-
Exchange client credentials for a JWT bearer token. Include the returned
token in the `Authorization: bearer {token}` header of all subsequent
API requests.
operationId: generateAuthToken
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- grant_type
- client_id
- client_secret
properties:
grant_type:
type: string
enum:
- client_credentials
description: OAuth 2.0 grant type
example: client_credentials
client_id:
type: string
description: >-
Your OAuth client ID from Loyalife Admin → Program
Configuration → API
example: your-client-id
client_secret:
type: string
description: Your OAuth client secret. Never expose in client-side code.
example: your-client-secret
scope:
type: string
description: >-
Optional. Binds token to a specific member. JSON-encoded
array: `["LOGIN","{RelationReference}"]`. Omit for a
general-purpose program token.
example: '["LOGIN","jane.doe@example.com"]'
example:
grant_type: client_credentials
client_id: your-client-id
client_secret: your-client-secret
responses:
'200':
description: Token issued
content:
application/json:
schema:
type: object
properties:
results:
type: object
properties:
token:
type: string
description: JWT bearer token
example: >-
eyJhbGciOiJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW9yZSNobWFjLXNoYTUxMiIsInR5cCI6IkpXVCJ9...
tokenExpiresOn:
type: string
format: date-time
description: ISO 8601 expiry timestamp. Refresh before this time.
example: '2026-03-16T15:15:02Z'
example:
results:
token: >-
eyJhbGciOiJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW9yZSNobWFjLXNoYTUxMiIsInR5cCI6IkpXVCJ9...
tokenExpiresOn: '2026-03-16T15:15:02Z'
'401':
description: Invalid credentials
content:
application/json:
schema:
$ref: '#/components/schemas/StandardError'
example:
results:
IsSucessful: false
ErrorCode: E401
ExceptionMessage: Invalid client credentials
security: []
components:
schemas:
StandardError:
type: object
properties:
results:
type: object
properties:
IsSucessful:
type: boolean
example: false
ErrorCode:
type: string
example: E400
ExceptionMessage:
type: string
example: Error description
securitySchemes:
bearerAuth:
type: http
scheme: bearer
bearerFormat: JWT
description: >-
JWT obtained from Generate Auth Token. Pass as `Authorization: bearer
{token}`.
````