Skip to main content
The Yativo Crypto API uses the same authentication system as the core Yativo platform. You can authenticate using short-lived JWT tokens (for user-session flows) or API keys (recommended for server-to-server integrations).

Base URLs

EnvironmentURL
Dashboardhttps://crypto.yativo.com
API Basehttps://crypto-api.yativo.com/api
For backend integrations, use the API key + secret flow. It does not require a user session and tokens can be programmatically refreshed.
1

Generate an API key

Create an API key from the dashboard or via the API (requires 2FA). See API Keys for full details.
2

Exchange for a Bearer token

curl -X POST https://crypto-api.yativo.com/api/auth/token \
  -H "Content-Type: application/json" \
  -d '{
    "api_key": "yvk_live_...",
    "api_secret": "yvs_live_..."
  }'
Response
{
  "success": true,
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "expires_at": "2026-03-26T14:00:00.000Z",
  "scopes": ["read", "write", "transactions"]
}
3

Use the token

curl -X GET https://crypto-api.yativo.com/api/accounts/get-accounts \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

Auto-Refresh Pattern

Implement automatic token refresh to avoid 401 errors in long-running processes: 
class YativoAuth {
  private token: string | null = null;
  private expiresAt: number = 0;

  constructor(
    private readonly apiKey: string,
    private readonly apiSecret: string
  ) {}

  async getToken(): Promise<string> {
    if (this.token && Date.now() < this.expiresAt - 60_000) {
      return this.token; // still valid with 60s buffer
    }
    return this.refresh();
  }

  private async refresh(): Promise<string> {
    const res = await fetch('https://crypto-api.yativo.com/api/auth/token', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({ api_key: this.apiKey, api_secret: this.apiSecret }),
    });
    const { access_token, expires_in } = await res.json();
    this.token = access_token;
    this.expiresAt = Date.now() + expires_in * 1000;
    return access_token;
  }
}

User Session Flow

For flows where a user logs in directly, use the standard authentication endpoints.

Register

POST /authentication/registration 
curl -X POST https://crypto-api.yativo.com/api/authentication/registration \
  -H "Content-Type: application/json" \
  -d '{
    "email": "user@example.com",
    "password": "securepassword123",
    "first_name": "Jane",
    "last_name": "Doe"
  }'

Log In

POST /authentication/login 
curl -X POST https://crypto-api.yativo.com/api/authentication/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "user@example.com",
    "password": "securepassword123"
  }'
Response
{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "expires_in": 3600
}

Verify OTP

If login requires email OTP verification: POST /authentication/otp_verification 
curl -X POST https://crypto-api.yativo.com/api/authentication/otp_verification \
  -H "Content-Type: application/json" \
  -d '{"otp": "482931", "email": "user@example.com"}'

Verify Google Authenticator Code

POST /authentication/google_auth_verification 
curl -X POST https://crypto-api.yativo.com/api/authentication/google_auth_verification \
  -H "Content-Type: application/json" \
  -d '{"code": "123456", "email": "user@example.com"}'

Resend OTP

POST /authentication/resend_otp 
curl -X POST https://crypto-api.yativo.com/api/authentication/resend_otp \
  -H "Content-Type: application/json" \
  -d '{"email": "user@example.com"}'

Refresh Access Token

GET /authentication/refresh-token Pass the refresh token (not the access token) in the Authorization header: 
curl -X GET https://crypto-api.yativo.com/api/authentication/refresh-token \
  -H "Authorization: Bearer YOUR_REFRESH_TOKEN"
Response
{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "expires_in": 3600
}

Authentication Methods at a Glance

MethodHeaderBest For
API Key headersX-API-Key + X-API-SecretQuick testing, simple integrations
API Key Bearer tokenAuthorization: Bearer {token}Production server-to-server
User JWTAuthorization: Bearer {token}User session flows

Sandbox Authentication

When testing in the sandbox, use the sandbox base URL with the same authentication endpoints: 
https://crypto-sandbox.yativo.com/api/authentication/login
https://crypto-sandbox.yativo.com/api/auth/token
Create a separate API key for sandbox use to keep test and production credentials separate. See the Sandbox docs for details.
Never share your API secret or access tokens in client-side code, public repositories, or logs. Rotate compromised credentials immediately using the /apikey/{id}/rotate endpoint.