Overview
The Dükkango API uses token-based authentication with access tokens that are valid for 24 hours.
All API requests must include the Access-Token header except for the /auth/login endpoint.
Authentication Flow
Call Login Endpoint
Send a POST request to /auth/login with your credentials.
Receive Access Token
Store the access_token and expiration_date from the response.
Include Token in Requests
Add Access-Token header to all subsequent API calls.
Refresh Before Expiry
Obtain a new token before the current one expires (24 hours).
Login Endpoint
Your application secret key provided by Dükkango
Your restaurant secret key (unique per vendor/branch)
Request
curl -X POST https://www.xn--dkkango-n2a.com/api/integrations/auth/login \
-H 'Content-Type: application/json' \
-d '{
"app_secret_key": "your-app-secret-key",
"rest_secret_key": "your-restaurant-secret-key"
}'
Success Response (200)
{
"status": true,
"data": {
"access_token": "bcfb7a8a1239a25ab6b61b60964037421931c948bdc37c75daec8fd79a78b5e9",
"expiration_date": "2026-01-15 23:59:59"
}
}
Error Response (401)
{
"status": false,
"error": "yetkisiz erişim",
"message": "Invalid credentials"
}
Using Access Tokens
Once you have an access token, include it in the header of all API requests:
curl -X GET https://www.xn--dkkango-n2a.com/api/integrations/restaurants/get \
-H 'Access-Token: bcfb7a8a1239a25ab6b61b60964037421931c948bdc37c75daec8fd79a78b5e9'
curl -X GET https://www.xn--dkkango-n2a.com/api/integrations/restaurants/get \
-H 'Access-Token: your-access-token'
Token Expiration
Access tokens expire after 24 hours. Make sure to handle token expiration gracefully.
401 Unauthorized response:
{
"status": false,
"error": "yetkisiz erişim",
"message": "Token expired or invalid"
}
Recommended Token Management
class DukkangoAPI {
constructor(appSecret, restSecret) {
this.appSecret = appSecret;
this.restSecret = restSecret;
this.accessToken = null;
this.tokenExpiry = null;
}
async ensureValidToken() {
// Check if token is expired or about to expire (within 1 hour)
if (!this.accessToken ||
Date.now() > this.tokenExpiry - 3600000) {
await this.refreshToken();
}
}
async refreshToken() {
const response = await fetch(
'https://www.xn--dkkango-n2a.com/api/integrations/auth/login',
{
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({
app_secret_key: this.appSecret,
rest_secret_key: this.restSecret
})
}
);
const data = await response.json();
this.accessToken = data.data.access_token;
this.tokenExpiry = new Date(data.data.expiration_date).getTime();
}
async makeRequest(endpoint, options = {}) {
await this.ensureValidToken();
return fetch(`https://www.xn--dkkango-n2a.com/api/integrations${endpoint}`, {
...options,
headers: {
...options.headers,
'Access-Token': this.accessToken
}
});
}
}
Security Best Practices
Store Credentials Securely
- Never hard-code secret keys in your source code
- Use environment variables or secure key management systems
- Encrypt credentials at rest
- Rotate keys periodically
- Store tokens in memory, not in local storage (for web apps)
- Never log tokens in plain text
- Transmit tokens only over HTTPS
- Implement token refresh logic
Monitor for Unauthorized Access
- Log all authentication attempts
- Set up alerts for repeated failed logins
- Monitor unusual API usage patterns
- Revoke compromised tokens immediately
- All API calls must use HTTPS (SSL/TLS)
- Validate SSL certificates
- Don’t allow HTTP fallback
Multi-Branch Access
A single API key can be configured for vendor-wide access (all branches) or branch-specific access.
/restaurants/get, you’ll see all branches accessible with your API key:
{
"status": true,
"data": [
{
"id": "8f2b9ce2-04de-4712-842d-a39f64596fdf",
"name": "Akat Şube"
},
{
"id": "0ca1d2b1-a199-4960-8617-83a659d890c8",
"name": "Halaskargazi Şube"
}
]
}
Error Codes
| HTTP Status | Error Code | Description |
|---|
| 401 | yetkisiz erişim | Invalid or missing access token |
| 401 | yetkisiz erişim | Token expired |
| 422 | eksik alan | Missing required credentials |
Next: API Reference
Now that you’re authenticated, explore the available API endpoints
