# Getting Started

Here are the steps you need to follow to authorize your requests to the API:
1. Get an API client ID, and client secret. This should be provided by your organization administrator.
2. Make a `POST` request to `https://garmat-gdx.us.auth0.com/oauth/token` endpoint including your client id, client secret, audience, and grant types in the body as shown in the example.
3. If the request is successful, it should return a JSON response containing `{"access_token": YOUR_ACCESS_TOKEN}`
4. For requests to the API, include an `Authorization` header that only contains the word `bearer` and your token, like: `Bearer YOUR_ACCESS_TOKEN`
5. That should allow you to hit any of the available endpoints as shown in the final example to the right.

> warn
> As a preventive measure, if you're building a client to consume the GDX API, avoid modifying your TLS-initiating application to only trust Starfield C2
> as it will no longer be included in certificates generated by ACM, which we use.
> For more information about this, read [this article](https://aws.amazon.com/blogs/security/acm-will-no-longer-cross-sign-certificates-with-starfield-class-2-starting-august-2024/)


## Example
Example body for `POST https://garmat-gdx.us.auth0.com/oauth/token`:

```json
{
  "client_id": "YOUR_CLIENT_ID",
  "client_secret": "YOUR_CLIENT_SECRET",
  "audience": "https://production-api.garmatsprayboothcustomers.com",
  "grant_type": "client_credentials"
}
```

Example response:

```json
{
  "access_token": "JWT token",
  "token_type": "Bearer"
}
```

Subsequent request example:

```
$ curl \

  -X GET https://production-api.garmatsprayboothcustomers.com/booths \

  -H "Authorization: Bearer YOUR_JWT_TOKEN" \

```