Authentication

In order to make successful API calls a header must be sent with each request that authenticates the request as valid. Format:

Authorization: {"public_id": "<merchant_id>", "ts": <timestamp>, "sig_field": "<api_username or customer_id>", "sig": "<signature>"}

Scope

The authentication header will also determine the scope of permissions you have when making your request. There are two types of authentication:

Customer

This allows you to authenticate as one of your customers. All data returned will be within the scope of that customer, and related actions would be limited to those you would allow the customer to take on their own behalf.

For example, a customer could update their next order date, but would not be permitted to alter the price of the order.

Customer-level authentication scope is appropriate to use when making requests from the client or server.

API User

This allows you to authenticate an officially registered API user within the Ordergroove platform. Each user may have its own scope of permissions that will be determined when the user account is initially generated.

The details of these authentication strings and signatures should never be exposed to the client.

Example

Using Node and request.

const request = require('request');

const url = 'http://hostname/resource';
const auth = {
  'public_id': '39bkas893740ng49023u0m23049209n2',
  'ts': 1488466536,
  'sig_field': 'test_user',
  'sig': 'BNobNOMlv3DDv6IXs861hx6WMM/4qP4V18tSYM8mPoQ='
};

const headers = {
  'authorization': JSON.stringify(auth),
  'content-type': 'application/json'
};

request({ url, headers });

Trust Group

{"public_id": "public_id", "ts": 1234567890, "sig_field": "customer_id", "sig": "signature", "trust_level": "recognized"}