Authorization header containing a valid token.
Token types
LoyaltyDog issues two token shapes:| Token | Use case | How to obtain |
|---|---|---|
| Merchant token | First-party access to a merchant’s own programs, customers, and gift cards | Contact us to provision |
| App key | Third-party apps acting on behalf of a merchant | POST /v2/appkeys (see the API reference) |
Multi-tenancy
All resources are scoped to aprogramId. Tokens are bound to a merchant; the API rejects any request that targets a program your token does not own. This program-based isolation is enforced server-side — there is no client-side filtering to bypass.
MFA on user logins
End-user authentication (for example, merchant staff signing into the dashboard) supports TOTP-based MFA via the/v2/token/mfa/* endpoints. Programmatic API access uses tokens directly and does not require MFA.
Rotating tokens
Treat tokens like passwords. To rotate:- Issue a new token (via the dashboard or
POST /v2/appkeys). - Deploy the new token to your services.
- Revoke the old token.
Common errors
| Status | Meaning | Fix |
|---|---|---|
401 Unauthorized | Missing or invalid token | Check the Authorization header and token validity |
403 Forbidden | Token does not own the target resource | Verify the programId matches your merchant |
429 Too Many Requests | Rate limit exceeded | Back off; respect the Retry-After header |
Next steps
Quickstart
Walk through your first authenticated request.
API reference
Browse every endpoint and schema.