spoonity logo
    • API
    • Documentation
    • Support

    • Getting Started

      • Introduction
      • Authentication
        • Token types
        • Using API keys
        • Using session tokens
      • Handling Errors
      • Webhooks

    • Workflows

      • Placing an order
      • Retrieving a list of checked-in users
      • Registering an account
      • Working with user profiles
      • Reloading an account

    • Resources

      • Billing Profile
      • Card
      • Content
      • Country & Region
      • EGift
      • OnScreen
      • Order
      • User
      • Balances & Rewards
      • Transaction History
      • Inbox
      • Spending Rules
    • Sign in

    Authentication

    The Spoonity API supports a variety of different authentication methodologies to suit different use-cases. The following documentation will help you understand which method to use and when.

    Token types

    There are two types of primary tokens that are used to authenticate requests to the Spoonity API: API keys and session tokens.

    API keys are long-lived tokens that are most-often scoped to individual stores within the Spoonity platform, and are used to authenticate in-store requests.

    Session tokens are short-lived tokens that are generated using Spoonity's user authentication endpoint, and are used to authenticate requests from users.

    Using API keys

    API keys are generated from the Spoonity dashboard, from the Configuration tab of a specific location.

    From here, you can generate a new API key, or copy an existing one.

    When generated a new API key, you will be prompted to select a point of sale to link the key to. Selecting from one of the preset options will automatically create the key with the most common default authorization options.

    Alternatively, you can created a customized key, which will allow you to select each of a point of sale, a role, and an application type. These values will handle authorization and determine permissions when making requests to the platform.

    A billing owner must be assigned to a store before an API key can be generated. Billing accounts must also be in good standing.

    Due to their long-lived nature, API keys should be treated as secrets, and only used in trusted environments. API keys should never be used in end-customer facing applications, or clients that can be decompiled.

    API keys should be passed in the URL under the api_key parameter.

    Place an order

    curl https://api.spoonity.com/order?api_key={api_key} \
  -d "{
    ...
  }"

    Using session tokens

    End-customer APIs are authenticated using session tokens instead of API keys. These tokens are generated using the Spoonity user authentication endpoint.

    These tokens should be considered short-lived, and point to a specific user.

    While technically short-lived, session tokens can have long lifespans. Regardless, your integration should be able to handle request failures and route users to re-authenticate in scenarios where the token becomes invalid.

    Since these tokens have a much narrower scope, they can be used in client applications. They should still be stored securely to protect end-customers.

    Session tokens should be passed in the URL under the session_key parameter.

    Get a customer profile

    curl https://api.spoonity.com/user/profile?session_key={session_key}

    Was this page helpful?

    PreviousIntroduction
    NextHandling Errors

    © Copyright 2026 Spoonity, Inc. All rights reserved.