Authentication
Requests to the API are authenticated through an Authorization header. This header will typically be a user-context access token, or an API key for machine-to-machine authentication.
Using short-lived tokens
In most cases, authentication to the Spoonity API will be done through a short-lived token generated through an OAuth 2.0 handshake. These tokens have a short lifetime and must be refreshed between requests.
Generating a new token
Create an access token
curl https://api.spoonity.com/oauth/access_token \
-d client_secret="{client_secret}" \
-d client_id="{client_id}" \
-d grant_type=authorization_code \
-d code="{code}"
Response
{
"access_token": "{access_token}",
"token_type": "bearer",
"expires_in": 60
}
Tokens can then be used to authenticate requests to the API.
Get a list of customers
curl https://api.spoonity.com/customers \
-H "Authorization: Bearer {token}"
Using API keys
Longer-lived access tokens can also be generated as API keys through the Spoonity dashboard. Because these tokens are long-lived, they should be used sparingly, and only when necessary.
Authentication with API keys is done the same way as with short-lived tokens, using the Authorization header.
Authorization
Both short and long-lived tokens will include a set of scopes that determine what actions the token can perform.
For short-lived tokens, the role of the authenticated user is carried over. Any actions that the user is authorized to perform will be acceptable via the token as well. Be sure to keep this in mind.
Long-lived API keys have their role assigned explicitly during key creation.
Using an SDK
The Spoonity SDK will handle authentication and authorization of the API for you. Simply set your API key as an environment variable, and the rest of the authentication handshake will be handled automatically.