StreamlineAppearance
Authentication & Authorization
The design of interactions with the Streamline APIs is rooted in the principle of secure access. All API access is secured using OAuth 2.0 and Open ID semantics, supplemented by an additional subscription-based security layer.
To interact with any API, a subscription key is required to identify the scope of the API being accessed.
INFO
A single subscription key cannot be used to access more than one API. Our team creates this subscription for you.
If you need to access multiple APIs, unique subscription keys will be generated for each API. A subscription key is passed in the header of each request made to an API as an ocp-apim-subscription-key or as a query parameter as subscription-key.
Access to each API invariably requires a bearer token, which is passed in the header of every request made through the API header. Streamline APIs support a client credentials grant flow to secure API access.
WARNING
All API interactions must be conducted over HTTPS. Calls made over plain HTTP will fail. API requests without authentication will also fail.
Obtaining Application Access
As mentioned earlier, the API is not open to the public. An onboarding process is required to create a subscription for the product API and a client to generate a bearer token to access the APIs. Upon completion of the onboarding process, you will receive:
- Subscription keys (For the various APIs subscribed to)
- Client Id (Unique client identifier)
- Client Secret (Client identifier secret value)
WARNING
It is crucial to securely store these credentials as anyone who obtains them can use them to access the API. While the client_secret is generated using a sophisticated encryption algorithm, it is still important that you keep it safe and secure. For instance, it is not advisable to add it to a file that you commit to a public git repository.
Get an access token
A bearer token is generated by sending a POST request to with an authorization server. The payload is structured as shown below.
active
POST /connect/token
Host: <authorization_server_url>
Content-Type: application/x-www-form-url-encoded
client_id=xxxxxxxxxx&
client_secret=xxxxxxxxxxxxxx&
grant_type=Client_Credentials
scope: <API Scope>POST /connect/token
Host: <authorization_server_url>
Content-Type: application/x-www-form-url-encoded
client_id=xxxxxxxxxx&
client_secret=xxxxxxxxxxxxxx&
grant_type=Client_Credentials
scope: <API Scope>HTTP/2.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
"access_token": "eyJhbGciOiJIUzI.eyJzd...adQssw5c",
"token_type": "bearer",
"expires_in": 3600
}HTTP/2.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
"access_token": "eyJhbGciOiJIUzI.eyJzd...adQssw5c",
"token_type": "bearer",
"expires_in": 3600
}HTTP/2.1 400 Bad Request
Cache-Control: no-store, no-cache, max-age=0
Pragma: no-cache
Transfer-Encoding: chunked
Content-Type: application/json; charset=UTF-8
{
"error": "error_message"
}HTTP/2.1 400 Bad Request
Cache-Control: no-store, no-cache, max-age=0
Pragma: no-cache
Transfer-Encoding: chunked
Content-Type: application/json; charset=UTF-8
{
"error": "error_message"
}INFO
A bearer token has a validity period of 3600 seconds / 1 hour. It is necessary to refresh the token after its validity period.
Use the access token
Now that you've acquired a token, use it to make requests to the API. When the token expires, repeat the request to the connect/authorize endpoint to acquire a fresh access token. You need to use your credentials that you got earlier.
Examples on using the token are shown below;
csharp
httpClient.DefaultRequestHeaders.Authorization = new
AuthenticationHeaderValue("Bearer", "eyJhbGciOi...adQssw5c");httpClient.DefaultRequestHeaders.Authorization = new
AuthenticationHeaderValue("Bearer", "eyJhbGciOi...adQssw5c");php
header("Authorization: Bearer eyJhbGciOi...adQssw5c");header("Authorization: Bearer eyJhbGciOi...adQssw5c");java
HHttpClient client = HttpClients.custom().build();
HttpUriRequest request = RequestBuilder.get()
.setUri(API_ENDPOINT)
.setHeader(Authorization, "Bearer eyJhbGciOi...adQssw5c")
.build();
client.execute(request);HHttpClient client = HttpClients.custom().build();
HttpUriRequest request = RequestBuilder.get()
.setUri(API_ENDPOINT)
.setHeader(Authorization, "Bearer eyJhbGciOi...adQssw5c")
.build();
client.execute(request);js
const token = 'eyJhbGciOi...adQssw5c'
axios.get(API_ENDPOINT,
headers: {
Authorization: `Bearer ${token}`
}
)
/*
Axios is a javascript library, https://github.com/axios/axios.
You can use whichever library you prefer
*/const token = 'eyJhbGciOi...adQssw5c'
axios.get(API_ENDPOINT,
headers: {
Authorization: `Bearer ${token}`
}
)
/*
Axios is a javascript library, https://github.com/axios/axios.
You can use whichever library you prefer
*/INFO
These examples are not cast-in stone.
Subscription Key
In addition to application credentials, a valid subscription key is required to access the platform APIs. The subscription key acts as a further security measure and associates your API usage with your subscription plan. It helps track and manage API consumption and ensures fair usage across different subscribers.
Upon subscribing to the platform APIs, you will be provided with a unique subscription key. It should be included in your API requests as a header or query parameter to authenticate your access.
js
axios.get(API_ENDPOINT,
headers: {
'Ocp-Apim-Subscription-Key': 'd484a1f0d34f43019'
}
)axios.get(API_ENDPOINT,
headers: {
'Ocp-Apim-Subscription-Key': 'd484a1f0d34f43019'
}
)js
const res = await axios.get(API_ENDPOINT, {
params: {
Ocp-Apim-Subscription-Key: 'd484a1f0d34f43019'
}
});const res = await axios.get(API_ENDPOINT, {
params: {
Ocp-Apim-Subscription-Key: 'd484a1f0d34f43019'
}
});