Authorization

This section describes why different authorization levels apply to the API endpoints

What does authorisation mean?

Authorisation [as the word implies] is a way of telling the service that the person [or application] making the API request has been granted the required permissions to make the call; this involves providing some secret only known by the service and you - this secret can always be used to identify "who" made the call.

👍

How requests are authorised

Requests are authorised by specifying the Authorization header in the API request. It usually looks like:

Authorization: Bearer AUTH_TOKEN

Authorisation on Brass

All endpoints on the API require authorisation and the reason for this is to prevent abuse. There are different forms of secrets that can be provided to authorise an API request and they're required for different situations.

Token Type

What is Identifies

Auth. Level

Description

Temporary JWT

Customer + User

1

This form of authorisation is only used during authentication.

After a successful call to the login endpoint, a JWT is returned but it can only be used to complete the 2FA flow for the login action after which an open JWT is returned.

This means this mode is only ever required just before the user completes login authorization via OTP.

Although this JWT can identify the customer profile & user performing the action, it can only be used on for the OTP authorization endpoint - it is rejected everywhere else

User JWT

Customer + User

2

This form of authorization is allowed across all endpoints that require some authorization - excluding the OTP authorization endpoint.

It can even be used for endpoints that require the App Key access

Introducing PATs

Customer + User

2

Same as we have above

📘

Auth Levels

Tokens at higher levels can be used in place of tokens at lower levels when making calls. What this means is, I can use a PAT or User JWT instead of an App Key when calling the List Countries endpoint.