Skip to main content

Authentication

Authentication layer is build on the top of randevu API system. randevu API is secured with 2 levels of authentication:

  • System scoped authentication is applied to all API calls to randevu. On this level, the difference is made between the sandbox and production environment, since each marketplace will have a unique public key.

  • Role scoped authentication is different for two different type of API calls.

System scoped authentication a.k.a. Public Key#

The first authentication level is It based on an api key, that needs to be provided in the HTTP header x-randevu-key.

getting the apikey

Your public key can be generated within your Backoffice app by BACKOFFICE_OWNER or BACKOFFICE_ADMIN users.

Each registered marketplace will typically generate 2 versions of this key: sandbox and production version

The public key is a simple encrypted string that identifies your application without any authorization. The key is useful for to associate your quota and billing. The key is not does not have expiration date. It may be used indefinitely, unless your revoke it or regenerate new one in Backoffice.

Role scoped authentication#

The second level of authentication if different for two different types of randevu API calls.

Marketplace API user authentication#

This API mechanism is set for building of marketplace user facing features, typically frontends such as web and mobile applications.

It consists of a user session token, generated for each user during their login to the system. In order to login to randevu, marketplace users need their credentials.

Getting the user session token

Call the login API by providing:

  • corresponding public key (sandbox of production version) in the x-randevu-key HTTP header
  • user credentials (email and password and marketplace_name), as parameters of the API call

to get a fresh user session token.

User email and password are assigned on user registration.

The user session token must be provided in each subsequent request, within the Authorization HTTP header. It will expire by either explicit call to logout API or automatically, after 10 minutes of inactivity.

Backoffice API user authentication a.ka. Private Secret#

This API mechanism is used for building randevu extensions, webhook servers, background processes and is therefore not attached to a concrete randevu (human) user. It is rather an API user.

Similarly to the user session token used by Marketplace API, an API user will need an API session token.

Getting the API session token

Call the getAPISessionToken API by providing:

  • corresponding public key (sandbox of production version) in the x-randevu-key HTTP header
  • user's private secret, as a parameters of the API call

Use the Backoffice app to create an API user and generate his private secret. by BACKOFFICE_OWNER or BACKOFFICE_ADMIN rights are needed for this operation.

The api session token must be provided in each subsequent request, within the Authorization HTTP header. It will expire by either explicit call to logout API or automatically, after 10 minutes of inactivity.