# Authentication

To access the API a user has to have the *"Access System API"* permission enabled on one of their assigned roles. Permissions to content accessed via the API is limited by the roles & permissions assigned to the user that's used to access the API.

Authentication to use the API is primarily done using API Tokens. Once the *"Access System API"* permission has been assigned to a user, a "API Tokens" section should be visible when editing their user profile. These values should be used as a header in API HTTP requests in the following format:

```
Authorization: Bearer <token>
```

Here's an example of an authorized Axios request to list books in the system:

```javascript
const axios = require('axios');

let config = {
  method: 'get',
  maxBodyLength: Infinity,
  url: 'https://testapi.onmarket.id/user/address/list?page=1',
  headers: { 
    'Authorization': 'Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidXNlcm5ldzEiLCJhZ2VudCI6bnVsbCwibmF0aXZlIjpmYWxzZSwiaWF0IjoxNjk5MzUwMDYxfQ.eg945MifOGFH2tz1aT0UgD0YFHziV4rellDF5isXVlQ'
  }
};

axios.request(config)
.then((response) => {
  console.log(JSON.stringify(response.data));
})
.catch((error) => {
  console.log(error);
});

```

To get this token, you need to use this particular link for authentication:

#### (POST) https://usapi.onindonesia.id/auth

<details id="bkmrk-body-parameters-user"><summary>Body parameters</summary>

username : &lt;string&gt;

password : &lt;string&gt;

options : &lt;object&gt;{

 nativeApp: &lt;boolean&gt;

}

<p class="callout info">For websites, use "false" value in nativeApp. For mobile phones, use "true" value in nativeApp.</p>

</details><details id="bkmrk-example-request-we%27r"><summary>Example request</summary>

<p class="callout info">We're using test link for this example. For production, use usapi.onindonesia.id</p>

```json
{
  "username": "usernew1",
  "password": "12345678",
  "options": {
    "nativeApp": false
  }
}
```

</details><details id="bkmrk-example-result-%7B-%22to"><summary>Example result</summary>

```json
{
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjoidXNlcm5ldzEiLCJhZ2VudCI6bnVsbCwibmF0aXZlIjpmYWxzZSwiaWF0IjoxNjk5MzUwMDYxfQ.eg945MifOGFH2tz1aT0UgD0YFHziV4rellDF5isXVlQ"
}
```

</details><details id="bkmrk-error-lists-422-unpr"><summary>Error lists</summary>

422 Unprocessable Entry

```json
{
    "message": "Invalid Credential"
}
```

400 Bad Request

```json
{
    "message": "Invalid JSON Format"
}
```

</details>