Authentication overview

Marmin APIs are designed for secure server-to-server integrations.

At a high level, the authentication flow is:

1. Get your credentials – Marmin gives you a Client ID and Client Secret (see Get Client ID and Client Secret below).

2. Generate an HMAC SHA-256 signature – On your backend, use the Client ID and Client Secret to generate a Base64-encoded HMAC signature. Marmin never generates or stores this signature for you. See Generate HMAC SHA256 Signature in the sidebar for rules and do's and don'ts, and Get API token for code examples.

3. Request a JWT access token – Call the authentication endpoint, sending the signature in the x-marmin-signature header and the Client ID as a query parameter. See Get API token in the sidebar for request/response details.

4. Call Marmin APIs with the token – Send the JWT access token as a Bearer token in the Authorization header on every API request.

You only need to store the Client ID and Client Secret securely. Your backend derives short-lived JWT tokens from these credentials whenever needed.

Prerequisites

Before calling the APIs, your organization needs a Marmin account and API access.

Create a Marmin account

• Contact support@marmin.ai and request a Marmin UAE e-Invoicing account.

• The Marmin team will create and configure your organization and share initial sign-in details.

Sign in to the Marmin web application

• For sandbox testing, sign in at: https://sandbox.ae.marmin.ai/login

• For production access, contact support@marmin.ai to obtain the correct production URL and permissions.

Enable API Integration (one-time setup)

After signing in to the Marmin web application:

1. Open the Developer Dashboard from the sidebar.

2. In the Developer Dashboard sidebar, select Settings.

3. Open the API Configuration section.

The API Configuration tab is visible only if API Integration is enabled for your organization.

If you do not see the API Integration tab, contact support@marmin.ai and ask to enable API Integration for your account.

Get Client ID and Client Secret

Inside API Configuration you will see two credentials:

Client ID

• A stable identifier for your organization, shown in plain text.

• It always starts with org_, for example: org_1234567890abcdef.

Client Secret (OTP-protected)

The Client Secret is sensitive and hidden by default.

To view or rotate the secret:

1. Click Reveal Secret or Regenerate Secret.

2. An OTP (one-time password) is sent to your registered email address.

3. Enter the OTP in the verification field.

4. Click View Secret or Confirm & Regenerate.

OTP validity

• OTP codes are valid for 5 minutes.

• If the OTP expires, click Resend to request a new one.

Security recommendations

• Treat the Client Secret like a password.

• Store it in a secure secrets manager (not in source control).

• Never expose it in frontend or mobile applications.

For how to generate the HMAC signature and best practices, see Generate HMAC SHA256 Signature in the sidebar.