Authentication

There are two ways to authenticate requests to the Sirportly API. The method you should will depend on your application.

Account Authentication

If you wish to access all data and restrict access based on the API methods and source IP addresses, you can use the API Tokens area from the admin interface to generate a token & secret which should be used to authenticate your requests.

When you request to the API, you need to send an X-Auth-Token and X-Auth-Secret header with your request. These should include the token & secret which is provided once your token has been created in the admin interface.

This authentication method should be used whenever there is no direct user interacting with the API. For example, if you integrate your hepldesk with other business tools or scripts where there is no single user who requests can be associated with.

User Authentication

User authentication should be used in applications which are used by one of your Sirportly users but from another interface. For example, an iPhone or other mobile application.

In order to use this authentication method, your application must be registered and you will be provided with an application token which must be passed with all requests to the API. This token should be passed in the X-Auth-Application header. This token allows us to monitor application API usage.

In order to authenticate a user, you must send an API request to the server with the user's username & password. This API request will return information about the user including an API token & secret which must be used on all subsequent API requests - sent as X-Auth-Token and X-Auth-Secret headers. This token/secret are unique to your application and should only be used in conjunction with the application token from which they were requested. You may store the token/secret in your application to provide persistent access although under no circumstances may you store the user's password within your application.

We will be adding an OAuth authentication flow to this process in the near future which will remove the need for third party applications to process a user's password.

Token/Secret Formats

  • The token will always be a 36 character string containing numbers, the letters a-f and hyphens. For example: "d3f269a9-932e-eeb0-05e7-14fdff8696b2".
  • The secret will be a 50 character string containing any letters and numbers only. For example: "us1yy8ksfclycf4m5j5alydyrct0ytti1gty551sqeopv4qm0d".
  • The application token will always be a 36 character string containing numbers, the letters a-f and hyphens. For example: "d3f269a9-932e-eeb0-05e7-14fdff8696b2". This only applies to user authentication.

Proudly powered by Katapult. Running on 100% renewable energy.