Skip to main content

Login

Exchange your email and password for a JWT access token and refresh token. 
POST /api/auth/login/
Request body: 
{
  "email": "[email protected]",
  "password": "your_password"
}
Response: 
{
  "access": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoiMDFIWC4uLiIsImV4cCI6MTcxMTUwMzYwMH0...",
  "refresh": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoiMDFIWC4uLiIsImV4cCI6MTcxNDA2NTYwMH0...",
  "user": {
    "id": "usr_01HX...",
    "email": "[email protected]",
    "firstName": "Jane",
    "lastName": "Smith",
    "workspaceId": "ws_01HX..."
  }
}
  • The access token expires after 1 hour.
  • The refresh token expires after 30 days.

Token Refresh

Use the refresh token to obtain a new access token without re-authenticating. 
POST /api/auth/token/refresh/
Request body: 
{
  "refresh": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}
Response: 
{
  "access": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}
If the refresh token has expired, you must log in again to get a new pair of tokens. Refresh tokens are rotated on each use — the old refresh token is invalidated when a new one is issued.

Using the Access Token

Include the access token in the Authorization header of every API request: 
GET /api/contacts/
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

API Key Authentication

For server-to-server integrations where storing user credentials is not ideal, ParsaLink supports workspace-level API keys.

Creating an API Key

  1. Go to Settings → API Keys.
  2. Click Create API Key.
  3. Give the key a name (e.g., “Zapier Integration” or “Internal Dashboard”).
  4. Copy the key — it is only shown once.
API keys are shown only at the time of creation. If you lose a key, you must revoke it and create a new one. Store keys securely in environment variables or a secrets manager — never in client-side code or version control.

Using an API Key

API keys use the same Authorization: Bearer header format: 
GET /api/contacts/
Authorization: Bearer pk_live_01HX...
API keys are scoped to the workspace, not to an individual user. Actions performed with an API key are attributed to a system user in activity logs.

Revoking an API Key

Go to Settings → API Keys, find the key, and click Revoke. The key stops working immediately.

Example: Full Authentication Flow

import requests

# Step 1: Log in
response = requests.post("https://api.parsalink.io/api/auth/login/", json={
    "email": "[email protected]",
    "password": "your_password"
})
tokens = response.json()
access_token = tokens["access"]
refresh_token = tokens["refresh"]

# Step 2: Make an authenticated request
headers = {"Authorization": f"Bearer {access_token}"}
contacts = requests.get("https://api.parsalink.io/api/contacts/", headers=headers)

# Step 3: Refresh when token expires
new_tokens = requests.post("https://api.parsalink.io/api/auth/token/refresh/", json={
    "refresh": refresh_token
})
access_token = new_tokens.json()["access"]

Security Best Practices

  • Never hardcode credentials — Use environment variables for tokens and API keys.
  • Store refresh tokens securely — Treat them like passwords.
  • Rotate API keys regularly — Create a new key and revoke the old one periodically.
  • Use HTTPS only — All API communication must be over TLS. HTTP is not supported.
  • Monitor key usage — Review API key activity logs in Settings → API Keys to detect unauthorized access.