# Security aspects

### Authentication

The Merchant API requires you to authenticate with the email and password of a user account you will have to create on the Merchant Panel. Once you request to authenticate to the [**Login Endpoint**](https://apidocs.onekeypayments.com/api-reference/reconciliation-api/login), we will respond with a cookie called **BEARER\_TOKEN** containing a **token** you have to use in the next API calls to remain authenticated.

{% hint style="warning" %}
 The **BEARER\_TOKEN** cookie will expire after 15 minutes of its last request. Otherwise you may use the [**Logout Endpoint**](https://apidocs.onekeypayments.com/api-reference/reconciliation-api/logout) to invalidate the cookie for future usages.
{% endhint %}

### Technical and Security Aspects

**Secure Connections**: All the communications between you and the Merchants API has to be performed through secure connections over HTTPS.

**User access**: Only users set up to use this API can get information from it. Others won’t be allowed in..

**IP restrictions**: Only connections from the whitelisted IPs will be accepted. This measure ensures that only designated sources can access the API.

**Login Requirements:** You'll need both your email and password to use this API. This helps to ensure only authorised users can get in.