Back to top

API Documentation

Authorize

Overview

We currently allow applications to authenticate with OAuth 2 protocol. OAuth2 has different strategies and Rechat supports two of them:

Strategy Use case
Bearer (AccessToken) User login required
ClientPassword User login makes no sense in the context (eg Registration, where user has no credentials to begin with)

The ClientPassword authentication method is only reserved for for Rechat’s internal applications. Partners trying to create integrations should use OAuth process to fetch new tokens.

You should use a third party library for handling the whole process.

If you are writing code to handle these steps, you are most probably doing it wrong.

Authentication

Get Token
POST/oauth2/token

Basically, login in rechat (and other oauth2 based API’s) means fetching access_token from the server and providing it in the HTTP headers for the remainder of the session like this:

Authorization: Bearer <fetched_access_token>

Additional to access_token, this endpoint will give you:

  • Profile of the logged in user.

  • Expirey date of the access token

  • A refresh token

Example URI

POST /oauth2/token
Request
HideShow
Body
{
  "client_id": "bf0da47e-7226-11e4-905b-0024d71b10fc",
  "client_secret": "secret",
  "username": "[email protected]",
  "password": "aaaaaa",
  "grant_type": "password"
}
Response  200
HideShow
Body
{
  "access_token": "MzUzMmM1OTQtMDE0MC0xMWYxLWE0ODUtY2VlZjZkZDU0NmZl",
  "refresh_token": "MzUzMjY2ZjgtMDE0MC0xMWYxLWE0ODUtY2VlZjZkZDU0NmZl",
  "expires_in": 2678400,
  "code": "OK",
  "data": {
    "type": "user",
    "username": null,
    "first_name": "Unit",
    "last_name": "Test",
    "email": "[email protected]",
    "phone_number": "+4368120265807",
    "created_at": 1493115498.770362,
    "id": "80a227b2-29a0-11e7-b636-e4a7a08e15d4",
    "address_id": null,
    "cover_image_url": null,
    "profile_image_url": null,
    "updated_at": 1493115498.770744,
    "user_status": "Active",
    "profile_image_thumbnail_url": null,
    "cover_image_thumbnail_url": null,
    "email_confirmed": true,
    "timezone": "America/Chicago",
    "user_type": "Admin",
    "deleted_at": null,
    "phone_confirmed": false,
    "is_shadow": false,
    "personal_room": null,
    "brand": null,
    "fake_email": false,
    "features": [
      "Deals"
    ],
    "last_seen_at": null,
    "email_signature": null,
    "daily_enabled": false,
    "email_quota": 30000,
    "website": null,
    "instagram": null,
    "twitter": null,
    "linkedin": null,
    "youtube": null,
    "facebook": null,
    "designation": null,
    "tiktok": null,
    "mfa_enabled": false,
    "xpressdocs_user_id": "80a227b2-29a0-11e7-b636-e4a7a08e15d4",
    "current_time": "2:37 PM - Tuesday Feb 03, 2026",
    "push_allowed": true,
    "agents": null,
    "last_seen_type": null,
    "active_brand": null,
    "display_name": "Unit Test",
    "abbreviated_display_name": "Unit",
    "online_state": "Offline",
    "has_password": true
  },
  "token_type": "Bearer"
}

Refresh Token
POST/oauth2/token

An access token has a expiry date and thus will be expired. But every time you get an access token (as documented above), you will be given a refresh token which has a longer expiry.

At any time, you can exchange the refresh token with a new pair of tokens like this:

Example URI

POST /oauth2/token
Request
HideShow
Body
{
  "refresh_token": "MzUzMjY2ZjgtMDE0MC0xMWYxLWE0ODUtY2VlZjZkZDU0NmZl",
  "grant_type": "refresh_token",
  "client_id": "bf0da47e-7226-11e4-905b-0024d71b10fc",
  "client_secret": "secret"
}
Response  200
HideShow
Body
{
  "access_token": "MzUzNTZiMjgtMDE0MC0xMWYxLWE0ODUtY2VlZjZkZDU0NmZl",
  "refresh_token": "MzUzNTA5OWUtMDE0MC0xMWYxLWE0ODUtY2VlZjZkZDU0NmZl",
  "expires_in": 2678400,
  "code": "OK",
  "token_type": "Bearer"
}

Multi-factor authentication

Overview

MFA is an opt-in feature, allowing users to set it up in their account settings. Once MFA is activated, MFA will be required when making certain API requests, such as changing the password.

  • Setup MFA: To get started, make a POST request to /users/self/mfa/setup. This endpoint will return two important fields, mfa_url and mfa_qr_code, which can be used with an authenticator application to add a new service.

  • Verify MFA: POST /users/self/mfa/verify After setting up MFA, it’s not immediately enabled for the user. We require users to verify it first by providing a token. The verification step enables the MFA for the user and also marks the current access_token/refresh_token pair as MFA validated.

  • Validate MFA: If a user with verified MFA needs to sign in again, the new access_token/refresh_token pair won’t be MFA validated by default. This means that every request made with the access token will result in a 401 MFA required error. In such cases, the client must call POST /users/self/mfa/validate with a valid MFA token generated by the authenticator application to mark the tokens as MFA validated.

  • Delete MFA: DELETE /users/self/mfa endpoint with a valid MFA token can be used to remove the multi-factor authentication from the user.

Setup MFA

Setup MFA
POST/users/self/mfa/setup

Example URI

POST /users/self/mfa/setup
Response  200
HideShow
Body
{
  "code": "OK",
  "data": {
    "type": "user",
    "username": null,
    "first_name": "updated first name",
    "last_name": "Test",
    "email": "[email protected]",
    "phone_number": "+4368120265807",
    "created_at": 1493115498.770362,
    "id": "80a227b2-29a0-11e7-b636-e4a7a08e15d4",
    "address_id": null,
    "cover_image_url": "https://test.cloudfront.net/80a227b2-29a0-11e7-b636-e4a7a08e15d4/9eeb9510-0140-11f1-bb7b-c1ce1696c2c7.jpg",
    "profile_image_url": "https://test.cloudfront.net/80a227b2-29a0-11e7-b636-e4a7a08e15d4/9ef07710-0140-11f1-bb7b-c1ce1696c2c7.jpg",
    "updated_at": 1770151248.135736,
    "user_status": "Active",
    "profile_image_thumbnail_url": null,
    "cover_image_thumbnail_url": null,
    "email_confirmed": true,
    "timezone": "America/Chicago",
    "user_type": "Agent",
    "deleted_at": null,
    "phone_confirmed": true,
    "is_shadow": false,
    "personal_room": null,
    "brand": null,
    "fake_email": false,
    "features": [
      "Deals"
    ],
    "last_seen_at": null,
    "email_signature": "Here is my great signature",
    "daily_enabled": true,
    "email_quota": 30000,
    "website": null,
    "instagram": null,
    "twitter": null,
    "linkedin": null,
    "youtube": null,
    "facebook": null,
    "designation": null,
    "tiktok": null,
    "mfa_enabled": false,
    "xpressdocs_user_id": "80a227b2-29a0-11e7-b636-e4a7a08e15d4",
    "current_time": "2:40 PM - Tuesday Feb 03, 2026",
    "push_allowed": true,
    "agents": [
      {
        "id": "26f222d2-57bc-4b7d-b120-9bf95bfcd019",
        "email": "[email protected]",
        "mlsid": "00920130",
        "fax": "(972) 264-4703",
        "full_name": "Gholi Sweet",
        "first_name": "Gholi",
        "last_name": "Sweet",
        "middle_name": null,
        "phone_number": "(972) 264-4703",
        "nar_number": "797500044",
        "office_mui": "15512742",
        "status": "Active",
        "office_mlsid": "RCHT01X",
        "work_phone": "(469) 358-8080",
        "generational_name": null,
        "matrix_unique_id": "155155530",
        "updated_at": 1770151246.681232,
        "deleted_at": null,
        "created_at": 1770151246.681232,
        "mls": "NTREIS",
        "license_number": null,
        "designation": null,
        "nrds": "01053140",
        "type": "agent",
        "office_id": null,
        "secret_questions": [
          "(972) XXX-XX03",
          "jewellxxxxxxxxxxxxxal.net",
          "(469) XXX-XX80"
        ]
      }
    ],
    "last_seen_type": null,
    "active_brand": null,
    "display_name": "updated first name Test",
    "abbreviated_display_name": "updated first name",
    "online_state": "Offline",
    "mfa_url": "otpauth://totp/Rechat:test%40rechat.com?issuer=Rechat&secret=BZP4IDBHZOKOFVLVUEDOHRPNQSYDOHFQ&algorithm=SHA1&digits=6&period=30",
    "mfa_qr_code": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAANQAAADUCAYAAADk3g0YAAAAAklEQVR4AewaftIAAApaSURBVO3BQY7gRpIAQXei/v9l3z7GKQGCWS1pNszsD9ZaVzysta55WGtd87DWuuZhrXXNw1rrmoe11jUPa61rHtZa1zysta55WGtd87DWuuZhrXXNw1rrmoe11jUPa61rfvhI5W+qOFGZKiaVqWJSeaNiUpkqJpWpYlKZKiaVqeINlaniRGWqOFGZKk5UpopJ5W+q+OJhrXXNw1rrmoe11jU/XFZxk8pNFScVb6hMFZPKGxWTyonKVHFSMalMFVPFTSpTxRsVN6nc9LDWuuZhrXXNw1rrmh9+mcobFW+oTBVvqEwVk8pUcaIyVUwqb1RMKm+ovKHyRcXfpPJGxW96WGtd87DWuuZhrXXND//jVN5QmSreqHhD5TdVvKFyUjGpTCpTxYnKVPFf9rDWuuZhrXXNw1rrmh/+x6hMFZPKFypTxaQyVUwVk8o/SeWLikllUvn/5GGtdc3DWuuah7XWNT/8sop/s4pJ5YuKSWWqOKl4Q2VSeaNiUpkqJpWpYqr4myr+TR7WWtc8rLWueVhrXfPDZSr/pIpJZaqYVKaKSWWqmFSmiptUpoqTikllqphUpopJZaqYVKaKSWWqmFSmihOVf7OHtdY1D2utax7WWtf88FHFv1nFpPJGxaTyN1V8UTGpnKhMFScVX1ScVPyXPKy1rnlYa13zsNa6xv7gA5WpYlK5qeJE5aRiUnmj4g2VqWJS+U0VX6icVJyonFScqNxU8Zse1lrXPKy1rnlYa13zw0cVX1S8oTJVTBUnKl+oTBVvqEwVk8pUMalMFZPKicpU8UbFicpUcaJyUvGFyqRyUvHFw1rrmoe11jUPa61r7A8uUjmpmFS+qDhRmSpOVKaKL1Smit+k8kXFicpUMam8UTGpnFScqEwVk8pUcdPDWuuah7XWNQ9rrWt++MtUpopJZaqYVP4mlZOKm1SmikllqpgqJpWpYlJ5o2JSmSomlROVN1TeUDlRmSq+eFhrXfOw1rrmYa11zQ8fqUwVk8pUcVIxqUwVk8obKicVk8pUMancVPGGylQxVUwqU8UbKlPFFxUnKm9UnKj8poe11jUPa61rHtZa1/xwmcqJyknFVPFGxRsqk8obFZPKVHGiclLxhspUMVVMKlPFpPJFxYnKScWk8obK3/Sw1rrmYa11zcNa65offlnFpDJVTCpvVEwqX1TcpPKFylQxqUwVk8pJxaQyVUwqJypfVEwqU8WkclJxonLTw1rrmoe11jUPa61r7A/+IpWp4guVqWJSmSpOVKaKSWWqOFGZKk5Upoo3VG6qmFRuqphUTireUJkqftPDWuuah7XWNQ9rrWt++EhlqphUpoo3VE4qTireqDipmFSmijdUporfVDGpfFExqUwVX1ScqLyhMlXc9LDWuuZhrXXNw1rrGvuDX6RyUvGGylRxonJSMam8UTGpTBWTylQxqUwVk8pU8YbKFxUnKicVk8pUcaIyVfybPKy1rnlYa13zsNa6xv7gL1I5qZhU3qiYVL6omFS+qJhUpopJ5YuKSeWmihOVqeImlanin/Sw1rrmYa11zcNa6xr7gw9U3qj4J6m8UfGGylQxqUwVf5PKScWk8kXFFypvVEwqJxU3Pay1rnlYa13zsNa6xv7gA5U3KiaVmyp+k8pU8YXKTRWTylRxk8pUMan8kyr+poe11jUPa61rHtZa1/xwWcWkMqmcVLyhMqncVDFVnKhMFZPKScUbKr9J5Q2VqeJEZap4Q+VEZaqYVKaKLx7WWtc8rLWueVhrXfPDZSonFZPKicpU8UXFpPKFyhsVk8qJylRxovKFylTxhcpU8YbKVHFSMalMKlPFTQ9rrWse1lrXPKy1rvnhl1VMKm9UvFExqbxRcaJyUnFTxRcVk8oXKlPFGypvVLyh8k96WGtd87DWuuZhrXWN/cEHKlPFpPJfUjGpfFExqfymiptUTipOVKaKSeU3VUwqU8VND2utax7WWtc8rLWu+eGjipOKN1SmijdUTipOVKaKE5WpYlI5qThR+U0qv6nii4pJZap4o2JSmSq+eFhrXfOw1rrmYa11zQ+/TGWqOKmYVKaKSeUNlaniDZUTlZOKSWWqmCreUHmj4g2VN1SmiqniROULlZOKmx7WWtc8rLWueVhrXfPDRyonFScqU8VUcVLxhspJxUnFpDJVTCo3qZxU/E0qb6hMFW9UnKj8kx7WWtc8rLWueVhrXWN/8IHKGxWTyhsVJyonFZPKVPE3qUwVb6icVEwqU8Wk8kbFGypTxaQyVZyoTBUnKicVXzysta55WGtd87DWuuaHjyomlS8qvqiYVG5SmSomlZOKqWJS+U0Vk8pUcaIyqUwVb6hMFW9UnKj8TQ9rrWse1lrXPKy1rrE/uEjlN1W8ofKbKiaVqWJSeaNiUpkqJpXfVPGGylQxqZxU/Jc8rLWueVhrXfOw1rrG/uAXqUwVk8pJxT9JZaqYVKaKSWWqeENlqvhCZao4UfmiYlKZKk5UTireUJkqbnpYa13zsNa65mGtdY39wQcqJxWTylQxqdxU8YbKScUXKm9UnKhMFZPKVPGFylQxqUwV/ySVqWJSmSq+eFhrXfOw1rrmYa11zQ8fVZyovFHxhspU8UXFpHKiclJxUnGi8obKVDGp3KRyonJSMan8lz2sta55WGtd87DWuuaHX1ZxojJVTConFScqJxVvqPyTKk5UTiomlaniROWk4kTljYpJ5aRiUjmpuOlhrXXNw1rrmoe11jX2BxepfFHxN6lMFV+onFScqLxRcaLyRcWk8kbFpHJSMalMFW+onFTc9LDWuuZhrXXNw1rrGvuDD1SmihOVk4pJZaqYVN6oOFGZKk5Upoo3VH5TxRsqJxWTyhsVk8pvqphUTiq+eFhrXfOw1rrmYa11zQ8fVbxR8UbFGxWTym+qmFS+qHhDZao4UbmpYlKZKt6oeENlqphUpopJ5aaHtdY1D2utax7WWtf88JHK31QxVfwvU5kqTlTeqJhUTlSmiqliUpkq3lCZKr5QmSpuelhrXfOw1rrmYa11zQ+XVdykcqIyVZyonFRMKlPFpDJVTCpfVLxRMamcqEwVk8pU8UbFFxVvqJxUTCpTxRcPa61rHtZa1zysta754ZepvFHxmyomlZOKmyomlUnlN1W8UXGiclIxqZyofFHxRsVND2utax7WWtc8rLWu+eF/XMVNKlPFpHKi8ptUpoovVKaKk4qTii9U3lB5o+KLh7XWNQ9rrWse1lrX/PA/RuWk4g2VE5Wp4jepvKEyVZyoTBWTyonKScWkMlW8UTGpnFT8poe11jUPa61rHtZa1/zwyyp+U8WkMlVMKm9UTCpTxaQyVZyoTBUnFScqU8U/qeINlaliqvg3e1hrXfOw1rrmYa11zQ+XqfxNKicqX6i8UfFGxaQyVZyoTBUnKicVb1ScqLxRMalMFZPKScWkMlXc9LDWuuZhrXXNw1rrGvuDtdYVD2utax7WWtc8rLWueVhrXfOw1rrmYa11zcNa65qHtdY1D2utax7WWtc8rLWueVhrXfOw1rrmYa11zcNa65r/A0ZJlrXCbKxPAAAAAElFTkSuQmCC",
    "has_password": true
  }
}

Verify MFA after setup

Verify MFA after setup
POST/users/self/mfa/verify

Example URI

POST /users/self/mfa/verify
Request
HideShow
Body
{
  "token": "683883"
}
Response  200
HideShow
Body
{
  "code": "OK",
  "data": {
    "type": "user",
    "username": null,
    "first_name": "updated first name",
    "last_name": "Test",
    "email": "[email protected]",
    "phone_number": "+4368120265807",
    "created_at": 1493115498.770362,
    "id": "80a227b2-29a0-11e7-b636-e4a7a08e15d4",
    "address_id": null,
    "cover_image_url": "https://test.cloudfront.net/80a227b2-29a0-11e7-b636-e4a7a08e15d4/9eeb9510-0140-11f1-bb7b-c1ce1696c2c7.jpg",
    "profile_image_url": "https://test.cloudfront.net/80a227b2-29a0-11e7-b636-e4a7a08e15d4/9ef07710-0140-11f1-bb7b-c1ce1696c2c7.jpg",
    "updated_at": 1770151248.135736,
    "user_status": "Active",
    "profile_image_thumbnail_url": null,
    "cover_image_thumbnail_url": null,
    "email_confirmed": true,
    "timezone": "America/Chicago",
    "user_type": "Agent",
    "deleted_at": null,
    "phone_confirmed": true,
    "is_shadow": false,
    "personal_room": null,
    "brand": null,
    "fake_email": false,
    "features": [
      "Deals"
    ],
    "last_seen_at": null,
    "email_signature": "Here is my great signature",
    "daily_enabled": true,
    "email_quota": 30000,
    "website": null,
    "instagram": null,
    "twitter": null,
    "linkedin": null,
    "youtube": null,
    "facebook": null,
    "designation": null,
    "tiktok": null,
    "mfa_enabled": true,
    "xpressdocs_user_id": "80a227b2-29a0-11e7-b636-e4a7a08e15d4",
    "current_time": "2:40 PM - Tuesday Feb 03, 2026",
    "push_allowed": true,
    "agents": [
      {
        "id": "26f222d2-57bc-4b7d-b120-9bf95bfcd019",
        "email": "[email protected]",
        "mlsid": "00920130",
        "fax": "(972) 264-4703",
        "full_name": "Gholi Sweet",
        "first_name": "Gholi",
        "last_name": "Sweet",
        "middle_name": null,
        "phone_number": "(972) 264-4703",
        "nar_number": "797500044",
        "office_mui": "15512742",
        "status": "Active",
        "office_mlsid": "RCHT01X",
        "work_phone": "(469) 358-8080",
        "generational_name": null,
        "matrix_unique_id": "155155530",
        "updated_at": 1770151246.681232,
        "deleted_at": null,
        "created_at": 1770151246.681232,
        "mls": "NTREIS",
        "license_number": null,
        "designation": null,
        "nrds": "01053140",
        "type": "agent",
        "office_id": null,
        "secret_questions": [
          "(972) XXX-XX03",
          "jewellxxxxxxxxxxxxxal.net",
          "(469) XXX-XX80"
        ]
      }
    ],
    "last_seen_type": null,
    "active_brand": null,
    "display_name": "updated first name Test",
    "abbreviated_display_name": "updated first name",
    "online_state": "Offline",
    "has_password": true
  }
}

Validate an MFA token

Validate an MFA token
POST/users/self/mfa/validate

Example URI

POST /users/self/mfa/validate
Request
HideShow
Body
{
  "token": "683883"
}
Response  204

Remove MFA

Remove MFA
DELETE/users/self/mfa

Example URI

DELETE /users/self/mfa
Request
HideShow
Body
{
  "token": "683883"
}
Response  204

Generated by aglio on 03 Feb 2026