# Authentication

## Via user

Some protected API routes are secured with a bearer token. To access such a route, an "Authorization" header has to be appended with the content "Bearer \<token>". A valid token can be retrieved by calling the [login API](https://docs.flecs.tech/product-docs/engineering/api-docs/flecs-console-api/users#login). The following routes are affected:

* `/api/v2/my/products`
* `/api/v2/my/products/apps`
* `/api/v2/my/subscrptions`

In addition you can use this to activate your device. See [#activate-device-via-user-license](#activate-device-via-user-license "mention") for details.

## Via session id

Some protected API routes require a session id. To access such a route, an "X-Session-Id" header has to be appended with the session id as the content. For getting a session id see [#acquiring-a-session-id](#acquiring-a-session-id "mention"). The following routes are affected:

* `/api/v2/device/license/validate`
* `/api/v2/manifests/{app}/{version}`
* `/api/v2/tokens`

## Acquiring a session id

A successful device activation produces an initial session id which you can use to authenticate API calls. After some time the session id will expire. The console will set a currently valid session id in the "X-Session-Id" header of all responses on routes that require a session id for authentication. You should inspect the session id of all responses and switch to the new session id as soon as it changes.

## Device activation

There are two ways to activate your device which will be explained in the following.

### Activate device via user

{% hint style="danger" %}
Activating a device via a user consumes a license which can not be used again
{% endhint %}

The route `/api/v2/device/license/activate` can be used to activate your device by providing an "Authorization" header as seen in [#via-user](#via-user "mention"). On successful activation the console will respond with a valid session id and a license key. Put your license key somewhere save as you can reactivate your device via this license key if you lose your session id (e.g. after your device was factory reset). See [#activate-device-via-license-key](#activate-device-via-license-key "mention").

### Activate device via license key

The route `/api/v2/device/license/activate` can be used to activate your device by providing a license key in the request body. On successful activation the console will respond with a valid session id and a license key. This license key can be used to reactivate your device in case you lose your session id, but this will invalidate the previously used session id.