Authentication & Tokens
As mentioned in the getting started section, there are 2 ways of authenticating with the REST API:
- User Authorization Token (UAT), created from the portal. We advise using this method as it gives you direct access to the endpoint without having to login first. It also allows for finer-grained access control and can more easily be revoked for testing-purposes.
- Username/password credentials, as provided at signup (which results in a JWT token to be used in the HTTP header)
When using the UAT token, it will act on behalf of the user with ONLY the assigned access permissions assigned to the token when it was created. This limits what the token can do and is considered more secure. When using the JWT token, the logged-in session has ALL the rights of that user and as such can access any API to which it has access, so it is highly advised to only use a user with limited permissions.
To test if access is working, you can access GET https://api.staging.scantrust.io/api/v2/me/
Obtaining a User Authorization Token (UAT)
- Log on to the Enterprise Portal as a company admin
- Trom the left hamburger menu, click on your user name (below the heading me)
- Click the PLUS icon next to
USER AUTHORIZATION TOKENS
- Select the date until which this token is valid
- Select the access rights you would like to give to this token. Below are the available permissions:
- brand_create
- product_create
- scans_download
- scm_bulk_edit
- scm_code_edit
Using the UAT token
With the UAT token, instead of having to request a JWT token first, the UAT token obtained from the portal can be directly used in the header:
POST HEADER: "Authorization": "UAT {token value}"
Obtaining a JWT token
In order to call private API endpoints with a JSON web token (JWT), it needs to be included in the POST header. Therefore it is required to call an endpoint to login first. On a successful call, the API will respond with a JWT token to use in future API calls.
The JWT is then sent in the request header as follows:
headers={"Authorization": "JWT " + token}
POST: /api/v2/auth/jwt/
Log in a user and return a JSON Web Token (JWT).
| Attribute | Required? | Description |
|---|---|---|
| required | The email address of the Brand Admin/SCM User to log in | |
| password | required | The password of the user |
Body Parameters POST (application/json):
{
"email": "user@example.com",
"password": "p@sSw0rd"
}
Response (200): Status OK
When the user has successfully logged in following response will be presented:
{
"token": "example_web_token"
}
Response (400): Invalid user or password
Response when the user is unable to login:
{
"non_field_errors": [
"Unable to login with provided credentials."
]
}