Authentication

VectorCare implements the OAuth2 protocol for authenticating applications. You must obtain an access token before making API requests.

POST https://auth.vectorcare.com/v2.0/oauth2/token

Request

Send a POST request with form-data body:

Field	Value	Description
`client_id`	Your client ID	Generated in VectorCare Open API settings
`client_secret`	Your client secret	Generated in VectorCare Open API settings
`grant_type`	`client_credentials`	Always use this value

Example Request

curl -X POST https://auth.vectorcare.com/v2.0/oauth2/token \
  -d "client_id=your_client_id" \
  -d "client_secret=your_client_secret" \
  -d "grant_type=client_credentials"

Response

Success (200 OK)

{
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9...",
  "token_type": "bearer",
  "expires_in": 3600
}

Field	Type	Description
`access_token`	string	JWT token for API requests
`token_type`	string	Always `bearer`
`expires_in`	integer	Token lifetime in seconds (typically 3600)

Error (401 Unauthorized)

{
  "error_description": "Client authentication failed.",
  "error": "invalid_client"
}

Using the Token

Include the token in the Authorization header for all API requests:

curl -X POST https://hub.vectorcare.com/openapi/v2.0/requests/KP-ABCD1234/state/ \
  -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9..." \
  -H "Content-Type: application/json" \
  -d '{"name": "en_route", "timestamp": "2025-01-15T14:30:00Z"}'

Token Refresh

The expires_in field indicates when the token will expire (typically 1 hour). Proactively refresh your token before expiration to avoid 401 Unauthorized errors.

Recommended approach:

Store the token and its expiration time
Request a new token when ~80% of the lifetime has elapsed
Retry failed requests with a fresh token if you receive a 401

Generating Credentials

Log into VectorCare as an organization admin
Navigate to Settings → Open API
Click Generate Credentials
Store your client_id and client_secret securely