Skip to main content

Authentication

BPP supports two authentication methods.

JWT Authentication

JWT (JSON Web Token) authentication is used for user-facing API access — for example, from custom integrations using user credentials.

Obtain a token

POST /api/v1/jwt/create/
Content-Type: application/json

{
  "email": "user@example.com",
  "password": "yourpassword"
}

Response:

{
  "access": "<access_token>",
  "refresh": "<refresh_token>"
}
  • The access token is short-lived (minutes to hours).
  • The refresh token is long-lived and used to obtain new access tokens without re-entering credentials.

Use the token

Include the access token in the Authorization header of every API request:

Authorization: Bearer <access_token>

Refresh the token

POST /api/v1/jwt/refresh/
Content-Type: application/json

{
  "refresh": "<refresh_token>"
}

Verify a token

POST /api/v1/jwt/verify/
Content-Type: application/json

{
  "token": "<token_to_verify>"
}

Returns 200 OK if the token is valid.

Logout

To invalidate the refresh token:

POST /api/v1/jwt/logout/
Authorization: Bearer <access_token>

Static API Key Authentication

Static API keys are used for automated integrations — for example, custom scripts or scheduled jobs that call the BPP API.

Using the API key

Authorization: Api-Key <your-api-key>

Obtaining an API key

Static API keys are provisioned by your BPP administrator. Contact your administrator to request or rotate a key.

Key rotation

To rotate a static API key:

  1. Request a new key from your BPP administrator.
  2. Update all integrations that use the old key.
  3. Confirm everything is working before decommissioning the old key.

Social Login

BPP supports social login via:

  • Google OAuth — for user authentication and for connecting Google Ads accounts.
  • Facebook OAuth — for connecting Meta Ads accounts.

Social login for users is handled via the /api/v1/auth/ endpoints. Connection-level OAuth flows (Google Ads, Meta Ads) are initiated from the Connections section of the BPP UI.

Data isolation

All authenticated API requests are automatically scoped to the customer workspace associated with the authenticated user. You cannot access data from other workspaces.

Last updated on