> ## Documentation Index
> Fetch the complete documentation index at: https://dkkangoyazlmteknolojiticareta.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Learn how to authenticate with the Dükkango API

## Overview

The Dükkango API uses **token-based authentication** with access tokens that are valid for 24 hours.

<Info>
  All API requests must include the `Access-Token` header except for the `/auth/login` endpoint.
</Info>

## Authentication Flow

<Steps>
  <Step title="Call Login Endpoint">
    Send a POST request to `/auth/login` with your credentials.
  </Step>

  <Step title="Receive Access Token">
    Store the `access_token` and `expiration_date` from the response.
  </Step>

  <Step title="Include Token in Requests">
    Add `Access-Token` header to all subsequent API calls.
  </Step>

  <Step title="Refresh Before Expiry">
    Obtain a new token before the current one expires (24 hours).
  </Step>
</Steps>

## Login Endpoint

<ParamField path="app_secret_key" type="string" required>
  Your application secret key provided by Dükkango
</ParamField>

<ParamField path="rest_secret_key" type="string" required>
  Your restaurant secret key (unique per vendor/branch)
</ParamField>

### Request

```bash theme={null}
curl -X POST https://www.xn--dkkango-n2a.com/api/integrations/auth/login \
  -H 'Content-Type: application/json' \
  -d '{
    "app_secret_key": "your-app-secret-key",
    "rest_secret_key": "your-restaurant-secret-key"
  }'
```

### Success Response (200)

```json theme={null}
{
  "status": true,
  "data": {
    "access_token": "bcfb7a8a1239a25ab6b61b60964037421931c948bdc37c75daec8fd79a78b5e9",
    "expiration_date": "2026-01-15 23:59:59"
  }
}
```

### Error Response (401)

```json theme={null}
{
  "status": false,
  "error": "yetkisiz erişim",
  "message": "Invalid credentials"
}
```

## Using Access Tokens

Once you have an access token, include it in the header of all API requests:

```bash theme={null}
curl -X GET https://www.xn--dkkango-n2a.com/api/integrations/restaurants/get \
  -H 'Access-Token: bcfb7a8a1239a25ab6b61b60964037421931c948bdc37c75daec8fd79a78b5e9'
```

<CodeGroup>
  ```bash cURL theme={null}
  curl -X GET https://www.xn--dkkango-n2a.com/api/integrations/restaurants/get \
    -H 'Access-Token: your-access-token'
  ```

  ```javascript JavaScript theme={null}
  const response = await fetch(
    'https://www.xn--dkkango-n2a.com/api/integrations/restaurants/get',
    {
      headers: {
        'Access-Token': 'your-access-token'
      }
    }
  );
  ```

  ```python Python theme={null}
  import requests

  response = requests.get(
      'https://www.xn--dkkango-n2a.com/api/integrations/restaurants/get',
      headers={'Access-Token': 'your-access-token'}
  )
  ```

  ```php PHP theme={null}
  $ch = curl_init();
  curl_setopt($ch, CURLOPT_URL, 'https://www.xn--dkkango-n2a.com/api/integrations/restaurants/get');
  curl_setopt($ch, CURLOPT_HTTPHEADER, array('Access-Token: your-access-token'));
  $response = curl_exec($ch);
  ```
</CodeGroup>

## Token Expiration

<Warning>
  Access tokens expire after **24 hours**. Make sure to handle token expiration gracefully.
</Warning>

When your token expires, you'll receive a `401 Unauthorized` response:

```json theme={null}
{
  "status": false,
  "error": "yetkisiz erişim",
  "message": "Token expired or invalid"
}
```

### Recommended Token Management

```javascript theme={null}
class DukkangoAPI {
  constructor(appSecret, restSecret) {
    this.appSecret = appSecret;
    this.restSecret = restSecret;
    this.accessToken = null;
    this.tokenExpiry = null;
  }

  async ensureValidToken() {
    // Check if token is expired or about to expire (within 1 hour)
    if (!this.accessToken || 
        Date.now() > this.tokenExpiry - 3600000) {
      await this.refreshToken();
    }
  }

  async refreshToken() {
    const response = await fetch(
      'https://www.xn--dkkango-n2a.com/api/integrations/auth/login',
      {
        method: 'POST',
        headers: { 'Content-Type': 'application/json' },
        body: JSON.stringify({
          app_secret_key: this.appSecret,
          rest_secret_key: this.restSecret
        })
      }
    );

    const data = await response.json();
    this.accessToken = data.data.access_token;
    this.tokenExpiry = new Date(data.data.expiration_date).getTime();
  }

  async makeRequest(endpoint, options = {}) {
    await this.ensureValidToken();
    
    return fetch(`https://www.xn--dkkango-n2a.com/api/integrations${endpoint}`, {
      ...options,
      headers: {
        ...options.headers,
        'Access-Token': this.accessToken
      }
    });
  }
}
```

## Security Best Practices

<AccordionGroup>
  <Accordion title="Store Credentials Securely">
    * Never hard-code secret keys in your source code
    * Use environment variables or secure key management systems
    * Encrypt credentials at rest
    * Rotate keys periodically
  </Accordion>

  <Accordion title="Protect Access Tokens">
    * Store tokens in memory, not in local storage (for web apps)
    * Never log tokens in plain text
    * Transmit tokens only over HTTPS
    * Implement token refresh logic
  </Accordion>

  <Accordion title="Monitor for Unauthorized Access">
    * Log all authentication attempts
    * Set up alerts for repeated failed logins
    * Monitor unusual API usage patterns
    * Revoke compromised tokens immediately
  </Accordion>

  <Accordion title="Use HTTPS Only">
    * All API calls must use HTTPS (SSL/TLS)
    * Validate SSL certificates
    * Don't allow HTTP fallback
  </Accordion>
</AccordionGroup>

## Multi-Branch Access

<Tip>
  A single API key can be configured for **vendor-wide access** (all branches) or **branch-specific access**.
</Tip>

When you call `/restaurants/get`, you'll see all branches accessible with your API key:

```json theme={null}
{
  "status": true,
  "data": [
    {
      "id": "8f2b9ce2-04de-4712-842d-a39f64596fdf",
      "name": "Akat Şube"
    },
    {
      "id": "0ca1d2b1-a199-4960-8617-83a659d890c8",
      "name": "Halaskargazi Şube"
    }
  ]
}
```

## Error Codes

| HTTP Status | Error Code      | Description                     |
| ----------- | --------------- | ------------------------------- |
| 401         | yetkisiz erişim | Invalid or missing access token |
| 401         | yetkisiz erişim | Token expired                   |
| 422         | eksik alan      | Missing required credentials    |

<Card title="Next: API Reference" icon="arrow-right" href="/api-reference/overview">
  Now that you're authenticated, explore the available API endpoints
</Card>
