Authentication

Authentication Methods

The Event Staff App API supports two types of authentication:

  • Business API Keys: For system-level integrations and B2B access
  • Personal Access Tokens: For individual user access via web or mobile apps

Business API Keys

Business API keys are long-lived tokens for system-level access. These are ideal for:

  • Third-party integrations
  • Backend services
  • Automated systems

Using Business API Keys

curl --request GET \
    --url 'https://api.eventstaffapp.com/v1/objects/events' \
    --header 'Authorization: Bearer YOUR_BUSINESS_API_KEY'

Personal Access Tokens

Personal access tokens are user-specific and ideal for:

  • Web applications
  • Mobile apps
  • Personal API access

Obtaining a Personal Access Token

curl --request POST \
    --url 'https://api.eventstaffapp.com/v1/auth/login' \
    --header 'Content-Type: application/json' \
    --data '{
        "email": "user@example.com",
        "password": "your_password"
    }'

Successful response:

{
    "success": true,
    "data": {
        "access_token": "YOUR_PERSONAL_ACCESS_TOKEN",
        "token_type": "Bearer",
        "expires_in": 86400
    },
    "message": "Successfully authenticated"
}

Using Personal Access Tokens

curl --request GET \
    --url 'https://api.eventstaffapp.com/v1/objects/events' \
    --header 'Authorization: Bearer YOUR_PERSONAL_ACCESS_TOKEN'

Token Management

Listing Business API Keys

List all active API keys for your business:

curl --request GET \
    --url 'https://api.eventstaffapp.com/v1/tokens/business' \
    --header 'Authorization: Bearer YOUR_PERSONAL_ACCESS_TOKEN'

Revoking Business API Keys

Revoke a specific business API key:

curl --request DELETE \
    --url 'https://api.eventstaffapp.com/v1/tokens/business/{keyId}' \
    --header 'Authorization: Bearer YOUR_PERSONAL_ACCESS_TOKEN'

Revoke all business API keys:

curl --request DELETE \
    --url 'https://api.eventstaffapp.com/v1/tokens/business' \
    --header 'Authorization: Bearer YOUR_PERSONAL_ACCESS_TOKEN'

Revoking Personal Access Tokens

Revoke the current personal access token:

curl --request DELETE \
    --url 'https://api.eventstaffapp.com/v1/tokens/personal' \
    --header 'Authorization: Bearer YOUR_PERSONAL_ACCESS_TOKEN'

Revoke all personal access tokens for your account:

curl --request DELETE \
    --url 'https://api.eventstaffapp.com/v1/tokens/personal/all' \
    --header 'Authorization: Bearer YOUR_PERSONAL_ACCESS_TOKEN'

Rate Limiting

API requests are rate-limited based on your business plan:

Plan Rate Limit Window
Free 60 requests per minute
Basic 120 requests per minute
Professional 300 requests per minute
Enterprise 1,000 requests per minute

Rate limit information is included in the response headers:

  • X-RateLimit-Limit: Maximum requests per window
  • X-RateLimit-Remaining: Remaining requests in current window
  • X-RateLimit-Reset: Time until the rate limit resets (in seconds)

Security Best Practices

  • Never share your API keys or tokens
  • Store tokens securely and transmit only over HTTPS
  • Rotate business API keys periodically
  • Use environment variables to store tokens in your applications
  • Personal access tokens expire after 24 hours