API Authentication
All requests to the API must be authenticated using the following two http headers:
- Token as the
Authorizationheader. This can be acquired via a successful call to the/users/loginendpoint as described below. X-APPLICATION-IDto scope the request to a specific client application and tenant combination. This should be included in every request, even when the request to the API is unauthenticated.
For example:
Authorization: Token xxxxxxxxxxxxxxxxxxxxxxxx
x-application-id: 1234567890
The x-application-id is not retrievable via an API request and will be provided by a member of the PepperHQ team.
Anonymous requests, as well as login requests, do not require a Token based authentication.
Role Based Access
Access to API endpoints is restricted by role and by resource.
The available roles are:
| Role | Description |
|---|---|
| Admin | An Admin is able to perform administrative tasks such as creating or updating Location information. |
| User | A User is able to perform tasks that are appropriate for an end-user app. |
| Owner | A request-time state of User that filters resources being returned in collections according to ownership. |
| Self | A request-time state of User that ensures only Users associated with resources can act upon them. |
| Anon | No authentication is required to access this resource. |
| Anyone | Any authenticated user, regardless of role. |
Owner and Self differ in as much as Owner is a filter that restricts collection responses to resources available to the authenticated User and Self ensures that only the owner of a resource is able to access it.
For example, a request to /foo that is protected by Owner will only return foo resources that are associated with the authenticated user whereas a request to /foo/{id} will only succeed if the authenticated user is associated with the foo with the specified id.