This section describes why different authorization levels apply to the API endpoints

What does authorisation mean?

Authorisation [as the word implies] is a way of telling the service that the person [or application] making the API request has been granted the required permissions to make the call; this involves providing some secret only known by the service and you - this secret can always be used to identify "who" made the call.


How requests are authorised

Requests are authorised by specifying the Authorization header in the API request. It usually looks like:

Authorization: Bearer AUTH_TOKEN

Authorisation on Brass

All endpoints on the API require authorisation and the reason for this is to prevent abuse. There are different forms of secrets that can be provided to authorise an API request and they're required for different situations.

Token TypeWhat is IdentifiesAuth. LevelDescription
Temporary JWTCustomer + User1This form of authorisation is only used during authentication.

After a successful call to the login endpoint, a JWT is returned but it can only be used to complete the 2FA flow for the login action after which an open JWT is returned.

This means this mode is only ever required just before the user completes login authorization via OTP.

Although this JWT can identify the customer profile & user performing the action, it can only be used on for the OTP authorization endpoint - it is rejected everywhere else
User JWTCustomer + User2This form of authorization is allowed across all endpoints that require some authorization - excluding the OTP authorization endpoint.

It can even be used for endpoints that require the App Key access
Introducing PATsCustomer + User2Same as we have above


Auth Levels

Tokens at higher levels can be used in place of tokens at lower levels when making calls. What this means is, I can use a PAT or User JWT instead of an App Key when calling the List Countries endpoint.