Authorisation [as the word implies] is a way of telling the service that the person [or application] making the API request has been granted the required permissions to make the call; this involves providing some secret only known by the service and you - this secret can always be used to identify "who" made the call.
How requests are authorised
Requests are authorised by specifying the
Authorizationheader in the API request. It usually looks like:
Authorization: Bearer AUTH_TOKEN
All endpoints on the API require authorisation and the reason for this is to prevent abuse. There are different forms of secrets that can be provided to authorise an API request and they're required for different situations.
|Token Type||What is Identifies||Auth. Level||Description|
|Temporary JWT||Customer + User||1||This form of authorisation is only used during authentication.|
After a successful call to the login endpoint, a JWT is returned but it can only be used to complete the 2FA flow for the login action after which an open JWT is returned.
This means this mode is only ever required just before the user completes login authorization via OTP.
Although this JWT can identify the customer profile & user performing the action, it can only be used on for the OTP authorization endpoint - it is rejected everywhere else
|User JWT||Customer + User||2||This form of authorization is allowed across all endpoints that require some authorization - excluding the OTP authorization endpoint.|
It can even be used for endpoints that require the App Key access
|Introducing PATs||Customer + User||2||Same as we have above|
Tokens at higher levels can be used in place of tokens at lower levels when making calls. What this means is, I can use a PAT or User JWT instead of an App Key when calling the List Countries endpoint.