Authentication

Authentication

Our API offers multiple authentication methods to suit different use cases. The various methods provide flexibility and robust security, ensuring that your interaction with our API aligns with the best practices in the industry.

1. Private API KEY Authentication

API KEY authentication is a simple method that requires including your unique API key in the request header. You can obtain this key from your user dashboard (opens in a new tab).

x-api-key: YOUR_API_KEY_HERE

You will be able to create API keys for your account and manage them from your user dashboard. This method is safe, but if someone gets a hold of your API key, they will be able to access your account. We recommend using this method only for testing purposes and for inventory retrieval; however, this method will not be allowed for order submission. In order to submit orders, you will need to use the OAuth2 method.

Here is an example in python:

import requests
 
url = "https://api.psrestful.com/v1.1.0/suppliers/PCNA/medias/TM97813/?environment=PROD"
 
headers = {
  'x-api-key': 'YOUR API KEY HERE'
}
 
response = requests.request("GET", url, headers=headers)
 
print(response.json())

2. Public API keys

Overview

Public API Keys allow you to authenticate and authorize access to the API from your front-end applications, such as websites, mobile apps, or backoffice applications. This method involves a three-step process:

  1. Generating a public key
  2. Adding your domains to Allowed Origins in Account Settings
  3. Using the public key to make API requests

Generating a Public Key

The public key is a unique identifier that is used to authenticate and authorize access to the API. It is a 32-character string that is generated by the user and stored in the database.

To generate a public key, follow these steps:

  1. Log in to your account.
  2. Navigate to the API KEY (opens in a new tab) section.
  3. Click on "Create API Key".
  4. Save the generated key in a secure place.

Adding Allowed Origins

To ensure that your public key is only used by authorized domains, you need to add your domains to the Allowed Origins in Account Settings.

  1. Log in to your account.
  2. Go to Account Settings (opens in a new tab).
  3. Find the Allowed Origins section.
  4. Add the domains from which you will be making API requests.
  5. Save your settings.

Using the Public Key

Once you have generated your public key and added your domains to Allowed Origins, you can use the public key to make API requests. Include the public key in your query parameters as shown below:

ex. https://api.psrestful.com/v2.0.0/suppliers/HIT/inventory/5989?pub_api_key=XXXXXX (opens in a new tab)

Note: This will not work unless you launch this request from a page hosted on any of the domains you entered in step 2.

3. Bearer Token Authentication

Bearer token authentication provides secure access using a token that can be obtained through OAuth2 or other token providers. This method aligns with the best practices in security:

Authorization: Bearer YOUR_TOKEN_HERE
3.1 OAuth2

We strongly recommend using OAuth2 tokens when available, as they adhere to an industry-standard protocol for authorization. OAuth2 provides several grant types, allowing for fine-grained control over access and refreshing tokens. Consult our OAuth2 Integration Guide for detailed information on implementing OAuth2 with our API.

Security Considerations

  • Transport Layer Security: Ensure that you are connecting over HTTPS to maintain the confidentiality and integrity of your data.
  • Token Storage: Be cautious with how you store and handle tokens, particularly in client-side applications. It's essential to follow secure practices for storing sensitive information.
  • Rate Limiting: Be aware of the rate limits that apply to your chosen authentication method. Our documentation on Rate Limits provides more details.
  • Permissions: In our case, for now, a user with access will have access to all API calls but we will change that in the near future. We will provide more details on how to manage permissions as changes occur.

Please refer to the specific endpoint documentation to determine which authentication methods are supported and any additional requirements.