Obtaining a JWT Token
Send aPOST request to /api/login.php with your Shiipp username and password. On success, the response contains an access_token that must be included in the Authorization header of every subsequent request.
Endpoint: POST /api/login.php
Request Body
Must be the literal string
"login".Your Shiipp account username.
Your Shiipp account password.
Example Login Request
Success Response (No 2FA)
Using the Token
Include the token in theAuthorization header for every subsequent API call. Tokens expire after 8 hours. When your token expires, repeat the login flow to obtain a new one — there is no refresh token endpoint.
Login Response Fields
The JWT token to use in the
Authorization: Bearer header.Always
"Bearer".Profile information for the authenticated user.
Two-Factor Authentication (2FA) Flow
If the account has 2FA enabled, the initialPOST /api/login.php call returns a "2fa_required" status instead of an access_token. The response includes a short-lived preauth_token that acts as a challenge ticket.
Step 1 — Initial Login Response (2FA Required)
The
preauth_token is valid for 5 minutes. If it expires before the user submits their code, restart the flow from the initial login request.Step 2 — Submit the TOTP Code
Make a secondPOST /api/login.php call with action: "verify_2fa", the preauth_token from step one, and the six-digit TOTP code from the user’s authenticator app.
Must be the literal string
"verify_2fa".The
preauth_token returned in the 2fa_required response.The six-digit TOTP code from the user’s authenticator app. Backup codes are also accepted in place of a TOTP code.
access_token and user object. From this point the token is used identically regardless of whether 2FA was involved.
API Key Authentication
The prealert submission endpoint (POST /api/Prealert.php) is designed for server-to-server courier integrations and uses a static API key instead of a JWT token. This avoids the need to manage token expiry in automated pipelines.
Obtain your API key from the Courier Settings section of the Shiipp dashboard. Each courier account has its own unique key.
Sending the API Key
The recommended method is to pass the key as a request header:Authentication Error Reference
| HTTP Code | status Field | Cause |
|---|---|---|
400 | fail | The request body is missing or contains invalid JSON |
422 | fail | Required fields (username or password) are absent or blank in the login request |
401 | fail | Invalid username or password |
401 | fail | Invalid or expired 2FA code |
401 | error | JWT token is missing, malformed, or expired on a protected endpoint |
403 | fail | Account exists but has been disabled by an administrator |