Skip to main content
The External API uses JWT Bearer tokens (HS256 symmetric signing). All business routes expect: 
Authorization: Bearer <access_token>
There is no API-key-in-header pattern for data routes: you exchange the API key or password for a JWT using the token endpoints, then call /api/* with the Bearer token.

How to obtain credentials

MethodWhen to use
Dashboard userYou have a Telemax username and password (same identity as the web app).
API keyYour company issued a GUID API key in the Telemax dashboard, or a legacy non-GUID key resolved via the legacy tracking service.
Credentials are not passed on every data request—only the JWT.

Token endpoints

User login

POST /api/Authentication/token/user
  • Content-Type: application/x-www-form-urlencoded
  • Body fields: UserName, Password (see LoginRequest in code)

API key login

POST /api/Authentication/token/api-key
  • Content-Type: application/x-www-form-urlencoded
  • Body field: apiKey (string)

Successful token response

JSON fields (see JwtTokenResponse):
FieldTypeDescription
access_tokenstringJWT for Authorization: Bearer
token_typestringAlways bearer
expires_innumberLifetime in seconds

JWT claims

Claim types are the string names of JwtClaims (e.g. UserId, CompanyId, TimeZone). API key logins may also include Vehicles, Actions, and DateFormat for scoped keys.

Token expiry and refresh

Token caching strategy

Do not request a new token on every API call. Each token is valid for ~24 hours. Requesting tokens unnecessarily adds latency and risks hitting future rate limits.
Recommended approach:
  1. On startup, request a token and store it in memory with its expiry time (Date.now() + expires_in * 1000).
  2. Before each API call, check if the token expires within the next 5 minutes.
  3. If yes, re-authenticate and replace the cached token.
  4. If no, use the cached token.
Example (JavaScript): 
let cachedToken = null;
let tokenExpiresAt = 0;

async function getToken() {
  if (cachedToken && Date.now() < tokenExpiresAt - 5 * 60 * 1000) {
    return cachedToken;
  }
  const res = await fetch('https://api.telemax.com.au/api/Authentication/token/api-key', {
    method: 'POST',
    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
    body: new URLSearchParams({ apiKey: process.env.TELEMAX_API_KEY }),
  });
  const { access_token, expires_in } = await res.json();
  cachedToken = access_token;
  tokenExpiresAt = Date.now() + expires_in * 1000;
  return cachedToken;
}
Example (Python): 
import time
import requests

_token = None
_token_expires_at = 0

def get_token():
    global _token, _token_expires_at
    if _token and time.time() < _token_expires_at - 300:
        return _token
    r = requests.post(
        'https://api.telemax.com.au/api/Authentication/token/api-key',
        data={'apiKey': os.environ['TELEMAX_API_KEY']},
    )
    r.raise_for_status()
    data = r.json()
    _token = data['access_token']
    _token_expires_at = time.time() + data['expires_in']
    return _token

Token scoping

Every token is bound to a single company. The CompanyId claim in the JWT determines which resources the token can access.

User tokens

Scoped to the primary company associated with the Telemax user account. Multi-company users are pinned to their first company — if you need access to a different company, use an API key issued for that company instead.

API key tokens

API key tokens carry additional optional claims:
ClaimEmpty value meansNon-empty value means
VehiclesAll vehicles in the companyComma-separated list of allowed vehicle IDs
ActionsAll actionsComma-separated list of allowed action strings
DateFormatUser’s configured date format
To check which companies and vehicles your token can access, call POST /api/GetCompanies and POST /api/Devices after authenticating.

API key rotation

To rotate an API key without downtime:
  1. Create the new key in the Telemax dashboard (Webhooks and API Key section). Both keys are active simultaneously.
  2. Update your integration to use the new key and confirm tokens are being obtained successfully.
  3. Delete the old key in the dashboard. Existing tokens issued with the old key remain valid until they expire (up to 24 hours).
Deleting a key immediately invalidates future token requests with that key. Tokens already issued remain valid until their expires_in elapses.

Code examples

curl -s -X POST "https://api.telemax.com.au/api/Authentication/token/user" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  --data-urlencode "UserName=integration.reader@acmefleet.com.au" \
  --data-urlencode "Password=K7mP2vL9qW4nR8xT"