Authentication
All APIs (except this one and a few utilities) require a JWT bearer token. Tokens expire every 30 minutes and must be refreshed.
# Get Token
Authenticate using your client credentials. Returns a short-lived JWT token for use in the Authorization header.
Request Body — application/x-www-form-urlencoded
| Field | Type | Required | Description |
|---|---|---|---|
| clientId | string | REQUIRED | Client identifier provided by the HD team. Example: bosch-experience-api |
| clientSecret | string | REQUIRED | Secret key corresponding to your clientId. Contact HD team to obtain. |
Response — 200 OK
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE3NzU0ODU0NjcsImlhdCI6MTc3NTQ4MzY2N...",
"expires_in": 1800 // seconds — token valid for 30 minutes
}Response Fields
| Field | Description |
|---|---|
| access_token | JWT token string. Attach to every subsequent request as: Authorization: Bearer <access_token> |
| expires_in | Token validity in seconds. 1800 = 30 minutes. |
Using in Postman: Copy
access_token → Set Collection Variable token = <value>. All subsequent requests use {{token}} automatically via Bearer Auth.
Security: Never expose
clientSecret in frontend/client-side code. Token generation must happen on your backend server. Treat clientSecret like a password.
Token Expiry: If you receive a
401 Unauthorized, your token has expired. Re-call this endpoint to obtain a fresh token. Consider proactively refreshing tokens every 25 minutes.
How to use the token
// Add to every request header
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
// Example curl request
curl -X GET "https://ondc.highwaydelite.com/trv14/categories" \
-H "Authorization: Bearer <your_access_token>"