To perform a non-anonymous call on Quatrix API, a client application should obtain a session token. Additionally, every call should be signed with the user's password pbkdf2 to form 'authorisation' header.

Login call accepts user login (email), referer (to differentiate accounts) and authorisation token. Authorisation token is calculated based on HTTP request method, route URI, login, timestamp and user's password pbkdf2.

If the login was successful, API returns 200 OK status with X-Auth-Token header containing newly created session token. This session ID is than used as variable to calculate authorisation token for next API calls that require authorisationSession token is than used to authorize user making API calls.

Session token is valid/active during certain period of time (15 min) since last API action. If there were no activity during that period session token is expired and user has to obtain a new one.

Failed login returns 401 HTTP error.