API reference

Authentication

This page covers the endpoints necessary for authenticating your API requests. Keep your credentials secure and rotate tokens regularly.

There are two authentication mechanisms:

  • HLC Access Token: This token is available in the HLC B2B site. You can define it manually or have it automatically generated. It is primarily used by API version 3.0 but is now supported in all API versions. You must pass the token via the header as explained in the security page.
  • HLC JWT Token: This token is automatically generated by the API when using the /System/Login endpoint. This token is the foundation of security in version 4.0 and later. When using v3.0 endpoints in v4.0+, our gateway automatically converts the access token into a JWT token for authentication and authorization.

Since the access token can be retrieved directly from the HLC B2B site (details explained in the security page), this page demonstrates only how to obtain an jwt token programmatically using /System/Login.

POST /System/Login

Use this endpoint to exchange credentials for an jwt token. The token is then sent in the Authorization header for all subsequent requests.

Request body

const baseUrl = 'https://api.hlc.bike/us/v4.1'

const loginRes = await fetch(`${baseUrl}/System/Login`, {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    username: process.env.HLC_USERNAME,
    password: process.env.HLC_PASSWORD,
  }),
})

if (!loginRes.ok) throw new Error('Login failed')
const { accessToken } = await loginRes.json()

const brandsRes = await fetch(`${baseUrl}/Catalog/Brands`, {
  headers: { ApiKey: accessToken },
})

Response

{
  "327a12b0ea244dba39c9dd806cd1996d7b4..."
}
Previous
Error codes
Next
Catalog