RateMatchRateMatch
PostmanSDKs & LibrariesChangelog
Getting StartedAPI Reference

Authentication

The RateMatch API uses a two-step authentication flow: API keys for initial authentication, then JWT tokens for API requests.

Authentication Flow

  1. 1

    Get your API Key

    Obtain an API key from your partner dashboard. Keys start with rm_live_ (production) or rm_sandbox_ (testing).

  2. 2

    Exchange for JWT Token

    Call POST /v1/auth/token with your API key to receive access and refresh tokens.

  3. 3

    Use Bearer Token

    Include the access token in subsequent requests as Authorization: Bearer <token>

API Keys

Your API key is a secret credential that identifies your partner account. Keep it secure and never expose it in client-side code.

API Key Format
rm_live_aBcDeFgHiJkLmNoPqRsTuVwXyZ   # Production
rm_sandbox_aBcDeFgHiJkLmNoPqRsTuVwXyZ  # Sandbox
Security Note: Never commit API keys to source control or expose them in client-side applications.

Token Exchange

Exchange your API key for JWT tokens. Access tokens expire after 2 hours, refresh tokens after 30 days.

POST /v1/auth/token
curl -X POST https://api.ratematch.com.au/v1/auth/token \
  -H "Content-Type: application/json" \
  -H "X-API-Key: rm_live_your_api_key" \
  -d '{"grantType": "api_key"}'
Response
{
  "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "refreshToken": "64f8a2b1c3d4e5f6...",
  "tokenType": "Bearer",
  "expiresIn": 7200
}

Refreshing Tokens

When your access token expires, use the refresh token to get a new one without re-authenticating with your API key.

POST /v1/auth/refresh
curl -X POST https://api.ratematch.com.au/v1/auth/refresh \
  -H "Content-Type: application/json" \
  -d '{"refreshToken": "your_refresh_token"}'

Using the Access Token

Include the access token in the Authorization header for all API requests:

Making authenticated requests
curl https://api.ratematch.com.au/v1/applications \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."