Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.yofacturo.es/llms.txt

Use this file to discover all available pages before exploring further.

Overview

YoFacturo uses a two-step authentication flow:
  1. Exchange your organization’s api_key for a short-lived session_token.
  2. Include the session_token as a Bearer token in the Authorization header of every subsequent request.

Create a session token

Exchange your api_key for a session_token valid for 24 hours.

Endpoint

POST /api/v1/auth/sessions

Request

api_key
string
required
Your organization’s API key.

Example

curl -X POST https://app.yofacturo.es/api/v1/auth/sessions \
  -H "Content-Type: application/json" \
  -d '{"api_key": "your_api_key_here"}'

Response

This endpoint returns a flat JSON object — no data envelope. 
{
  "session_token": "H2sY0Qw_example_8eA",
  "expires_at": "2026-03-27T10:30:00Z"
}
FieldTypeDescription
session_tokenstringBearer token to use in subsequent requests
expires_atISO 8601 datetimeExpiry time of the token (24 hours from issuance)

Error responses

StatusCodeCause
400bad_requestapi_key parameter is missing, null, or empty
401unauthorizedThe provided api_key is invalid or has been revoked — message: "Invalid API key"

Authenticate requests

Include the session_token in the Authorization header as a Bearer token for all protected endpoints: 
curl https://app.yofacturo.es/api/v1/invoice_batches \
  -H "Authorization: Bearer H2sY0Qw_example_8eA"
If the Authorization header is missing, the API returns 401 Unauthorized: 
{
  "error": {
    "code": "unauthorized",
    "message": "Missing Authorization header"
  }
}
If the token is invalid or expired, the API returns 401 Unauthorized: 
{
  "error": {
    "code": "unauthorized",
    "message": "Invalid or expired session token"
  }
}

Token expiry and renewal

Session tokens expire 24 hours after creation. There is no refresh mechanism — simply request a new token by calling POST /api/v1/auth/sessions again with your api_key. We recommend storing the expires_at timestamp and proactively renewing the token before it expires to avoid failed requests.