# Authentication In order to authenticate use following endpoint, passing your Volven/TYR Markets user name (which is your email) and password: ```http POST /httpserver/main/v2/auth/login { "username": "", "password": "" } ``` If you have 2FA enabled you will get following response: ```http 200 OK { "awsUsername": "9205eec4-8b36-48a4-aa6c-a73e8ce01684", "session": "AYABeK9med7n...Z7oBVQAjVJEZ0k", "challengeName": "SOFTWARE_TOKEN_MFA", "status": "CHALLENGE_REQUIRED" } ``` In that case you have to provide OTP (one time password) from your configured authenticator app.\ Send it in `challengeAnswer` field along with `awsUsername` and `session` from previous authentication response: ```http POST /httpserver/main/v2/auth/login { "awsUsername": "9205eec4-8b36-48a4-aa6c-a73e8ce01684", "session": "AYABeK9med7n...Z7oBVQAjVJEZ0k", "challengeName": "SOFTWARE_TOKEN_MFA", "status": "CHALLENGE_REQUIRED", "challengeAnswer": "898165" } ``` Once you are successfully authenticated (with or without 2FA enabled) you will get following response: ```http 200 OK Authorization: Bearer eyJraWQiOiJWQmd...8yeUJmCX2JXxyJBzHA { "refreshToken": "eyJjdHkiOiJKV1Qi...ULGaonedpIyv86GNpg", "expirationTime": 3600, "isAppConnected": false } ``` Now you need to use the token received in `Authorization` header from the response above to authorize all business API request. You simply pass this token in `Authorization` header when performing every HTTP request or initiating WebSocket connection. The token is valid for `expirationTime` number of seconds, which in this case is 1 hour. If you want to use API in continuous manner but authorize only once then use `refreshToken` from the response above. Perform following call periodically before your session expires (for instance 5 minutes before expiration time): ```http POST /httpserver/main/v2/auth/login { "refreshToken": "eyJjdHkiOiJKV1Qi...ULGaonedpIyv86GNpg" } ``` You should receive following response meaning that your session has been prolonged and will expire at `expirationTime` (Unix timestamp). You need to replace your existing token with a new one from `Authorization` header from the response below: ```http 200 OK Authorization: Bearer eyJraWQiOiJWQmd...nFmxU4PiUIV38iEbZA { "expirationTime": 1758546865 } ```