Getting started
Authentication
The Partner API uses OAuth2 client credentials. You exchange your client_id and client_secret for a short-lived bearer token, then send that token on every API call.
Official SDKs
composer require starmile/partner-sdk (PHP 7.1+). It handles authentication, retries and typed errors for you. Every endpoint in this reference includes a PHP tab next to the cURL example. Node.js and Python SDKs are on the way.Run it in Postman
Import the collection and one environment, set your client_id and client_secret, then run Authentication › Get access token — every other request inherits the bearer token automatically.
The two environments are identical in shape — set each environment’s base_url and credential to the values your partner gives you for that environment.
There is no user login in this flow — the credential itself is your identity. Keep the client_secret server-side; never expose it in a browser or mobile app. If a secret is leaked, ask your partner to rotate it (the old secret stops working immediately).
Using the token
Send the access token as a bearer token on every request: Authorization: Bearer <access_token>. Tokens are short-lived (typically one hour); when one expires, request a new one with the same credential.
Obtain an access token
/oauth/tokenExchange your client credentials for a bearer token for machine-to-machine access. Send the body as JSON or asapplication/x-www-form-urlencoded.
Request body
grant_typestringrequired- Must be "client_credentials".
client_idstringrequired- The client identifier issued to you.
client_secretstringrequired- The client secret issued to you.
Response (200)
token_typestringoptional- Always "Bearer".
expires_inintegeroptional- Seconds until the access token expires.
access_tokenstringoptional- The bearer token to send on subsequent requests.
curl -X POST https://api.starmile.io/oauth/token \
-H 'Content-Type: application/json' \
-d '{
"grant_type": "client_credentials",
"client_id": "9b1deb4d-3b7d-4bad-9bdd-2b0d7b3dcb6d",
"client_secret": "<your client secret>"
}'