Rev.io API Authentication

Exchange an API key for a JWT token and use it for authenticated requests to Rev.io APIs. API keys are created by system administrators via Admin > API Management, with role-based access controls applied based on the key creator's permissions.

Authentication Flow

Step 1: Exchange API Key for JWT Token

Obtain a JWT token using your Rev.io API key:

POST https://api.psarev.io/api/v1/auth/api-key/exchange

Header: Content-Type: application/json

Body: {"apiKey": "your-api-key-here"}

Expected Response:

{ "data": { "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." } }

Step 2: Extract JWT Token

Extract the JWT token from the data.token field. The token is located at the JSON path data.token in the response.

Step 3: Use Authorization and X-Revio-Host Headers

Include the JWT token in the Authorization header as a Bearer token and an X-Revio-Host header (the domain of your PSA website) for all subsequent API calls:

Authorization: Bearer <your-jwt-token>

X-Revio-Host: acme.psarev.io

Content-Type: application/json

API Endpoint Examples

Get Contacts

GET https://api.psarev.io/billing/api/v1/contacts

Get Specific Contact

GET https://api.psarev.io/billing/api/v1/contacts/{id}

Get Customers

GET https://api.psarev.io/billing/api/v1/customers

Get Specific Customer

GET https://api.psarev.io/billing/api/v1/customers/{customerId}

Complete Script Example (bash)

#!/bin/bash

API_KEY="your-api-key-here"

BASE_URL="https://api.psarev.io"

REVIO_HOST="acme.psarev.io"

# Step 1: Exchange API key for JWT token

RESPONSE=$(curl -s -X POST "$BASE_URL/api/v1/auth/api-key/exchange" -H "Content-Type: application/json" -d '{"apiKey": "'$API_KEY'"}' )

# Step 2: Extract token

TOKEN=$(echo "$RESPONSE" | jq -r '.data.token')

# Step 3: Make API request

curl -X GET "$BASE_URL/billing/api/v1/contacts" -H "Authorization: Bearer $TOKEN" -H "X-Revio-Host: $REVIO_HOST" -H "Content-Type: application/json"

Error Handling

Invalid API Key

An HTTP 4xx error is returned if the API key is invalid.

Token Expiration

JWT tokens may expire. If you receive a 401 Unauthorized error, re-exchange your API key for a new token.

Security Best Practices

1. Store API keys securely — Use environment variables or secure credential storage.

2. Token rotation — Regularly exchange for new tokens.

3. HTTPS only — Always use HTTPS for API requests.

4. Don't log tokens — Avoid logging JWT tokens in plain text.