Skip to main content

API Authentication

Oauth2

In this flow, we identify the application, not the user. This means this is suited for "machine to machine application" (ie: service running on your backend).

  1. The application asks for an access_token to the Authentication API by sending both its client-id and client-secret
  2. The Authentication API verifies the access and return an acces-token
  3. The application send an authenticated request to the API

Requests are authorized by adding the Authorization HTTP header containing aBearer token:

headers: { Authorization: "Bearer {access_token}" }

Secure token - process flow

Additional resources:

X-Hub signature

X-Hub-Signature is method allowing to secure webhooks. It allows to verify the signature of a request body using a secret key used both on the sender and receiver side. x-hub-signature is a header containing an HMAC signature of the request body. A shared secret is used in the HMAC, allowing us to verify your requests.

This method can be used for your event mapping endpoints and to validate social media webhook requests (ie: Facebook, Instagram).

Custom Token

For event mapping only, you can send a static token in your request. This can be done either by using:

  • a custom HTTP query parameter:
https://manager.loyalty.qualifioapp.com/api/ingestor/mapped-events/{id}?{your_custom_token_name}={your_token_value}
  • a custom HTTP header
headers: {
"your_custom_token_name": "your_token_value"
}