Link Search Menu Expand Document

Authentication

Introduction

Spaaza supports three different authentication methods, with one sub-method. These allow users, admin users and privileged clients such as trusted 3rd parties to consume the Spaaza API.

User Authentication

End user authentication is available for various API endpoints. User authentication uses HTTP headers containing user ID and session key values obtained from the login API endpoint. The following headers must be passed to any API endpoint using user authentication:

  • session-user_id: user ID of the user obtained from the login endpoint
  • session-key: session key of the session obtained from the login endpoint
  • X-MyPrice-App-Hostname: hostname of the Spaaza app the user is affiliated with

Spaaza is often configured to pass end-user authentication requests through to a 3rd party authentication service such as an e-commerce or identity API, meaning end-user authentication details do not need to be kept in Spaaza’s data store.

Admin Authentication

Admin user authentication is available for various API endpoints. An admin user is a user with permissions to create, update, delete or assign information for a particular Spaaza app or retailer. Admin authentication uses HTTP headers containing user ID and session key values obtained from the login API endpoint. Each time admin authentication is used, the permissions of the user role are checked for validity for the particular endpoint.

The following HTTP headers must be passed to any API endpoint using admin authentication:

  • session-user-id: user ID of the user obtained from the login endpoint
  • session-key: session key of the session obtained from the login endpoint

Additionally the following HTTP header is often required:

  • X-MyPrice-App-Hostname: hostname of the Spaaza app the user wishes to apply the change to

Privileged Authentication

Privileged authentication is available for certain trusted third party systems using various API endpoints. Key exchange is used to supply the API consumer with the correct credentials, which are checked during each use of the endpoint.

The following HTTP authentication header is used to present the API with credentials:

  • Authorization: Bearer access token ID:access token secret

Additionally the following HTTP header is often required:

  • X-MyPrice-App-Hostname: hostname of the Spaaza app the user wishes to apply the change to