Authentication

The Spoonity API supports a variety of different authentication methodologies to suit different use-cases. The following documentation will help you understand which method to use and when.

Token types

There are two types of primary tokens that are used to authenticate requests to the Spoonity API: API keys and session tokens.

API keys are long-lived tokens that are most-often scoped to individual stores within the Spoonity platform, and are used to authenticate in-store requests.

Session tokens are short-lived tokens that are generated using Spoonity's user authentication endpoint, and are used to authenticate requests from users.

Using API keys

API keys are generated from the Spoonity dashboard, from the Configuration tab of a specific location.

From here, you can generate a new API key, or copy an existing one.

When generated a new API key, you will be prompted to select a point of sale to link the key to. Selecting from one of the preset options will automatically create the key with the most common default authorization options.

Alternatively, you can created a customized key, which will allow you to select each of a point of sale, a role, and an application type. These values will handle authorization and determine permissions when making requests to the platform.

A billing owner must be assigned to a store before an API key can be generated. Billing accounts must also be in good standing.

Due to their long-lived nature, API keys should be treated as secrets, and only used in trusted environments. API keys should never be used in end-customer facing applications, or clients that can be decompiled.

API keys should be passed in the URL under the api_key parameter.

Place an order

curl https://api.spoonity.com/order?api_key={api_key} \
  -d "{
    ...
  }"

Using session tokens

End-customer APIs are authenticated using session tokens instead of API keys. These tokens are generated using the Spoonity user authentication endpoint.

These tokens should be considered short-lived, and point to a specific user.

While technically short-lived, session tokens can have long lifespans. Regardless, your integration should be able to handle request failures and route users to re-authenticate in scenarios where the token becomes invalid.

Since these tokens have a much narrower scope, they can be used in client applications. They should still be stored securely to protect end-customers.

Session tokens should be passed in the URL under the session_key parameter.

Get a customer profile

curl https://api.spoonity.com/user/profile?session_key={session_key}