Authentication
Introduction
Spaaza supports three different authentication methods, with one sub-method. These allow users, admin users and privileged clients such as trusted 3rd parties to consume the Spaaza API.
User Authentication
End user authentication is available for various API endpoints. User authentication uses HTTP headers containing user ID and session key values obtained from the login
API endpoint. The following headers must be passed to any API endpoint using user authentication:
- session-user_id: user ID of the user obtained from the
login
endpoint - session-key: session key of the session obtained from the
login
endpoint - X-MyPrice-App-Hostname: hostname of the Spaaza app the user is affiliated with
Spaaza is often configured to pass end-user authentication requests through to a 3rd party authentication service such as an e-commerce or identity API, meaning end-user authentication details do not need to be kept in Spaaza’s data store.
Admin Authentication
Admin user authentication is available for various API endpoints. An admin user is a user with permissions to create, update, delete or assign information for a particular Spaaza app or retailer. Admin authentication uses HTTP headers containing user ID and session key values obtained from the login
API endpoint. Each time admin authentication is used, the permissions of the user role are checked for validity for the particular endpoint.
The following HTTP headers must be passed to any API endpoint using admin authentication:
- session-user-id: user ID of the user obtained from the
login
endpoint - session-key: session key of the session obtained from the
login
endpoint
Additionally the following HTTP header is often required:
- X-MyPrice-App-Hostname: hostname of the Spaaza app the user wishes to apply the change to
Privileged Authentication
Privileged authentication is available for certain trusted third party systems using various API endpoints. Key exchange is used to supply the API consumer with the correct credentials, which are checked during each use of the endpoint.
The following HTTP authentication header is used to present the API with credentials:
- Authorization: Bearer access token ID:access token secret
Additionally the following HTTP header is often required:
- X-MyPrice-App-Hostname: hostname of the Spaaza app the user wishes to apply the change to