The Bumblebee API is protected with API tokens. An API token indicates you are allowed to manipulate data from a customer. A token can be created by administrators here.

The API token contains a random password (the access_token), which is valid for a certain period. You can use this password to access the API until it expires, after which you have to refresh the token to generate a new random password.

Example API Token

  "api_token": {
    "id": "Abc123",
    "access_token": "Abc123Def456Ghi789Jk",
    "expires_at": "2021-01-01T13:00:00.000+01:00",
    "refresh_token": "Lmn987Opq654Rst321Uv",
    "refresh_url": ""
<?xml version="1.0" encoding="UTF-8"?>
  <expires-at type="dateTime">2021-01-01T13:00:00+01:00</expires-at>


id The unique id of this token
access_token The secret token you can use to access our API
expires_at The expiry date for the access_token field. The token can no longer be used after this moment.
refresh_token The secret token you use to request a new access_token. This value is hashed in our database and can not be retrieved later. If you have lost the refresh token, you have to create a new API token, the old token can not be refreshed anymore.
refresh_url The URL of the API to request a new access_token


To authenticate yourself in the API, you must put the access_token in the header of the request, like so:

Authorization: Token token="Abc123Def456Ghi789Jk"

The exception to this is the refresh service, where you have to use the refresh_token in the header.