Skip to main content

Authentication

Authentication is the process of verifying the identity of a user or application that is trying to access an API. It ensures that only authorized users can access protected resources, while allowing public access to unprotected resources.

This helps us keep your data safe by ensuring that only you and others in your organization can place orders and access information about your orders.

Basic concepts

What is authentication?

When you interact with an API, authentication is used to confirm that you are who you say you are. This is typically done by providing credentials (such as a username and password) to obtain a token, which is then used to prove your identity in subsequent requests.

What is authorization?

Authorization is the process of determining what actions or resources an authenticated user is allowed to access. While authentication answers the question "Who are you?", authorization answers "What are you allowed to do?".
For example, after you authenticate and receive a token, the API uses authorization rules to decide whether you can access specific endpoints, perform certain operations, or view particular data. Authorization is enforced based on your user role, organization, or approval status.

Protected vs. Unprotected resources

  • Protected resources:
    These are API endpoints that require authentication. You must provide a valid token (in the Authorization header) to access these endpoints. When viewing the API Reference all endpoints should be assumed to be protected resources unless otherwise noted.

  • Unprotected resources:
    These endpoints are publicly accessible and do not require authentication. Examples include public documentation, status endpoints, or general information that does not expose sensitive data. This includes the endpoint used to retrieve a token.

How authentication works

  1. Obtain a token:
    You authenticate by sending your credentials to a specific endpoint. See: Retrieve a token. If the credentials are valid, the server returns a token.

  2. Use the token:
    For protected endpoints, include the token in the Authorization header of your requests:

    Authorization: Bearer <your-token>

  3. Access control:
    The API checks the token on each request to protected resources. If the token is valid and not expired, access is granted. Otherwise, the request is denied.

Why authentication matters

Authentication helps:

  • Protect sensitive data and operations.
  • Ensure that only authorized users can perform certain actions.
  • Track and audit user activity.

For more details on how to obtain and use tokens, see Tokens.