## Authentication Merchant Order Pulling API must authenticate requests by JWT Tokens. The API must check Tokens Payload as follows: 1. **jti** identifier must be unique for every request in a 120 seconds window 2. **iat** identifier must be no more than 120 seconds in past and no more than 5 seconds in future 3. **exp** identifier must not exceed request income time. 4. The token must be signed with a valid secret key. Example to check Request JWT Token ```php use MerchantOP\OrderPullingManager; $secret = 'QWA8Ff34/!{5qvalidate(OrderPullingManager::bearerHeader())) { abort(401); # Return empty response with 401 status code } ``` __OrderPullingManager::bearerHeader()__ will read Authorization Header from __$_SERVER['HTTP_AUTHORIZATION']__. We recommend to implement a JTI identifier checker in order to be secured of request replays. Each JTI can be stored into a cache (Redis, Memcached, etc) with a 120 seconds TTL, and the next identifiers should be checked for presence in that cache and abort request on true.