Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.yofacturo.es/llms.txt

Use this file to discover all available pages before exploring further.

Overview

YoFacturo uses a two-step authentication flow:
  1. Exchange your organization’s api_key for a short-lived session_token.
  2. Include the session_token as a Bearer token in the Authorization header of every subsequent request.
api_key  →  POST /api/v1/auth/sessions  →  session_token  →  Bearer <session_token>

Step 1 — Get your API key

Log in to YoFacturo, navigate to Settings → API, and copy your organization’s api_key. API keys follow the format org_live_<random>.
Keep your api_key secret. It gives full API access to your organization’s data. Do not commit it to version control or expose it in client-side code.

Step 2 — Create a session token

Exchange your api_key for a session_token valid for 24 hours.

Endpoint

POST /api/v1/auth/sessions

Request

api_key
string
required
Your organization’s API key (e.g. org_live_1234567890abcdef).

Example

curl -X POST https://app.yofacturo.es/api/v1/auth/sessions \
  -H "Content-Type: application/json" \
  -d '{"api_key": "org_live_1234567890abcdef"}'

Response

{
  "session_token": "H2sY0Qw_example_8eA",
  "expires_at": "2026-03-27T10:30:00Z"
}
FieldTypeDescription
session_tokenstringBearer token to use in subsequent requests
expires_atISO 8601 datetimeExpiry time of the token (24 hours from issuance)

Error responses

StatusCodeCause
400bad_requestapi_key parameter is missing or empty
401unauthorizedThe provided api_key is invalid or has been revoked

Step 3 — Authenticate requests

Include the session_token in the Authorization header as a Bearer token for all protected endpoints: 
curl https://app.yofacturo.es/api/v1/invoice_batches \
  -H "Authorization: Bearer H2sY0Qw_example_8eA"
If the token is missing, expired, or invalid, the API returns 401 Unauthorized: 
{
  "error": {
    "code": "unauthorized",
    "message": "Invalid or expired session token"
  }
}

Token expiry and renewal

Session tokens expire 24 hours after creation. There is no refresh mechanism — simply request a new token by calling POST /api/v1/auth/sessions again with your api_key. We recommend storing the expires_at timestamp and proactively renewing the token before it expires to avoid failed requests.