All requests to the REST-API with the exception of the login request need to be authenticated. For clients to authenticate, the token key should be included in the Authorization HTTP header. The key should be prefixed by the string literal "Token", with whitespace separating the two strings. For example:

Authorization: Token 9944b09199c62bcf9418ad846dd0e4bbdfc6ee4b

Unauthenticated responses that are denied permission will result in an HTTP 401 Unauthorized response with an appropriate WWW-Authenticate header. For example:

WWW-Authenticate: Token

The curl command line tool may be useful for testing token authenticated APIs. For example:

curl -X GET -H 'Authorization: Token 9944b09199c62bcf9418ad846dd0e4bbdfc6ee4b'

Retrieving Tokens

Authorization tokens are issued and returned when a user registers. A registered user can also retrieve their token with the following request:


POST api-token-auth/


Name Type Description
username string The user's username
password string The user's password


  "token": "9944b09199c62bcf9418ad846dd0e4bbdfc6ee4b"