Authentication and authorization
This article explains how Paazl authentication and authorization works. Paazl maximises the security of your webshop's order process by using three-legged OAuth 2.0 authentication in which the "API Secret" (private key) is only known to your webshop. Your customers can only access the "API Key" (public key).
Authentication & authorization overview
How the Paazl API authentication works is shown schematically in the following diagram.
Generating API keys
The Paazl web app's REST API configuration screen enables you to generate the public and private API keys that you need to request an access token from the Paazl authentication server.
To generate API keys, follow the steps below.
Note
If you do not see the "REST API" link referred to in step 3 below, contact Paazl Customer Support to activate it for you.
Token expiration
Access tokens are valid for 30 days from the moment they are returned by the Paazl authentication server.
The token retrieved at the start of a session is valid for the whole session, which means that, during the session, you can include it in subsequent API calls if you want to.
Whitelisting your webshop
In addition to working with an access token, you can whitelist the IP range of your webshop (and other sites) with Paazl. When you whitelist a site, you tell Paazl that you have explicitly authorized that site to request tokens. If you don't use whitelisting, any IP address can request tokens. We highly recommend that you use whitelisting.
To whitelist an IP range, log in to the Paazl web app and follow the steps below.