Skip to main content

Authentication & API Keys

ECGrid supports two separate authentication models — one for the REST API and one for the SOAP API. This page covers both in depth, including credential types, session lifecycle, and code examples for each pattern.

REST Authentication

The REST API (v2.6) supports two credential types. You can use either within the same integration.

Method 1 — API Key (Recommended)

An API key is a persistent credential tied to a specific ECGrid User account. It does not expire unless explicitly revoked and is the best choice for automated, server-to-server workflows such as scheduled file polling or batch processing.

Pass the key in the X-API-Key request header on every call:

GET /v2/parcels/inbox-list HTTP/1.1
Host: rest.ecgrid.io
X-API-Key: your-api-key-here
tip

API keys are long-lived. Store them in environment variables or a secrets manager — never in source code or client-side code. See IConfiguration usage in the C# examples below.

Obtaining an API key:

  1. ECGrid Portal — Log in and navigate to your user profile to generate or retrieve your key.
  2. REST API — Call GET /v2/users/key/{userID} with an existing authenticated session. See Get API Key.
# Pass X-API-Key on every request
curl -X POST "https://rest.ecgrid.io/v2/parcels/pending-inbox-list" \
  -H "X-API-Key: $ECGRID_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"mailboxId": 0}'

Method 2 — Bearer JWT (Short-Lived Token)

A Bearer JWT is issued in exchange for credentials via POST /v2/auth/login. Tokens are short-lived and must be refreshed. This pattern is appropriate for user-facing flows where you need a time-bounded credential.

Step 1 — Login to obtain a token:

POST /v2/auth/login HTTP/1.1
Host: rest.ecgrid.io
Content-Type: application/json

{
  "email": "user@example.com",
  "password": "YourPassword1!"
}

Response:

{
  "success": true,
  "data": {
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "refreshToken": "dGhpcyBpcyBhIHJlZnJlc2ggdG9rZW4...",
    "expiresAt": "2026-05-07T18:00:00Z"
  }
}

Step 2 — Use the token in subsequent requests:

GET /v2/parcels/inbox-list HTTP/1.1
Host: rest.ecgrid.io
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Step 3 — Refresh before expiry:

POST /v2/auth/refresh HTTP/1.1
Host: rest.ecgrid.io
Content-Type: application/json

{
  "refreshToken": "dGhpcyBpcyBhIHJlZnJlc2ggdG9rZW4..."
}

Step 4 — Validate the current session:

POST /v2/auth/session HTTP/1.1
Host: rest.ecgrid.io
X-API-Key: your-api-key-here

Returns the current session's context (user, mailbox, network, auth level).

Step 5 — Logout to invalidate the session:

POST /v2/auth/logout HTTP/1.1
Host: rest.ecgrid.io
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
# Step 1 — obtain a token
TOKEN=$(curl -s -X POST "https://rest.ecgrid.io/v2/auth/login" \
  -H "Content-Type: application/json" \
  -d '{"email":"user@example.com","password":"YourPassword1!"}' \
  | jq -r '.data.token')

# Step 2 — use the token on subsequent calls
curl -X POST "https://rest.ecgrid.io/v2/parcels/pending-inbox-list" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"mailboxId": 0}'

SOAP Authentication

The SOAP API uses a stateful session model. Every method call requires a SessionID string obtained from Login(). Your API Key can be used in place of the SessionID for automated, server-to-server workflows — you do not need to call Login() when using your API Key directly.

Login

Call Login() with your ECGrid email and password to receive a SessionID:

// .NET 10 — dotnet-svcutil generated proxy
var client = new ECGridOSPortTypeClient();

string sessionID = await client.LoginAsync(email, password);
// sessionID is now valid for subsequent calls

Pass the SessionID as the first argument to every subsequent method:

var parcelList = await client.ParcelInBoxAsync(sessionID, mailboxID, beginDate, endDate);
var networkInfo = await client.NetworkInfoAsync(sessionID, networkID);

Session Lifespan

SOAP sessions expire after a period of inactivity. For long-running processes, either:

  • Use a persistent API key (available via UserGetAPIKeyAsync())
  • Re-login when a session-expired SOAP fault is received

SessionInfo and SessionLog

Inspect the current session with SessionInfo():

var info = await client.SessionInfoAsync(sessionID);
// Returns user, mailbox, network, auth level, and expiry time

Review recent activity with SessionLog():

var log = await client.SessionLogAsync(sessionID, beginDate, endDate);

Logout

Always call Logout() when the session is no longer needed:

await client.LogoutAsync(sessionID);

SOAP Full Session Lifecycle

// .NET 10 — dotnet-svcutil generated proxy, full session lifecycle
using var client = new ECGridOSPortTypeClient();

var sessionID = string.Empty;
try
{
    // Authenticate — credentials from IConfiguration
    sessionID = await client.LoginAsync(
        config["ECGrid:Email"]!,
        config["ECGrid:Password"]!);

    // Use the session
    var mailbox = await client.MailboxInfoAsync(sessionID, mailboxID);
    Console.WriteLine($"Mailbox: {mailbox.MailboxName}");
}
finally
{
    // Always logout, even on exception
    if (!string.IsNullOrEmpty(sessionID))
        await client.LogoutAsync(sessionID);
}

Password Requirements

All ECGrid passwords must satisfy:

^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[^a-zA-Z0-9]).+$

At least one lowercase letter, one uppercase letter, one digit, and one special character. No maximum length.

Best Practices

ScenarioRecommended approach
Scheduled file pollingREST with API key — stateless, no session management
Batch processing serviceREST with API key — long-lived, no expiry
User-facing web applicationREST with Bearer JWT — scoped to user session
Existing SOAP integrationSOAP SessionID — minimize changes until migration
Migrating SOAP to RESTSwap Login() / SessionID for X-API-Key header

Environment Variable Reference

VariableDescription
ECGrid__ApiKeyAPI key for X-API-Key header authentication
ECGrid__EmailUser email for Bearer JWT or SOAP login
ECGrid__PasswordUser password for Bearer JWT or SOAP login
note

The double-underscore (__) is the standard .NET environment variable delimiter for nested configuration keys (equivalent to ECGrid:ApiKey in JSON).

See Also