Authentication
To authenticate with the Assetpool API, two types of credentials are required: a long-lived API key and a short-lived authorization token.
- API Key: A long-lived API key is required to access the Assetpool API. This key is issued by Assetpool support and must be included in all requests to authenticate your application. The API key acts as a permanent credential for your app, ensuring secure access.
- OAuth 2.0 Token: In addition to the API key, requests require a short-lived authorization token. This token can be obtained by logging into the API using OAuth 2.0. The API uses the Resource Owner Password Credentials Grant method to issue a Bearer token. This token is temporary and must be renewed periodically.
The API key is essential for all interactions with the API, while the OAuth 2.0 token is used for authorizing individual requests. No pre-registered client ID or secret is required to generate the authorization token.
API Keys
To securely access our APIs, you will need an API key. This key acts as a unique identifier for your application, ensuring that only authorized clients can interact with our platform. API keys can be obtained by contacting the Assetpool support team, who will provide you with the necessary credentials.
Using API Keys in Requests
Once you have received your API key, it must be included in all API requests to authenticate your application. To do this, include the API key in the HTTP header using the following format:
x-api-key: your_api_keyHere’s an example of a basic GET request with the API key:
curl -X GET https://api.assetpool.co/v1/resource \
-H "x-api-key: your_api_key"API Key Best Practices
To ensure the security of your application and data, follow these best practices when handling API keys:
- Protect your API key: Your API key is the gateway to our platform. Keeping it confidential helps safeguard your data and account. Ensure it is never shared in public repositories, client-side code, or exposed in logs.
- Regularly update your API keys: Rotating your API keys periodically reduces the risk of unauthorized access. This is an essential step in maintaining your account’s security and protecting your system.
- Use environment-specific keys: For better control and isolation, use different API keys for development, staging, and production environments. This ensures any issue in one environment doesn’t impact others, maintaining system stability.
- Stay informed about your key usage: Regularly monitor your API key activity to ensure there are no unexpected accesses. Setting up alerts for suspicious behavior helps keep your integration secure and responsive.
If your API key is compromised, immediately revoke it via the Assetpool support channel and request a new one to maintain security.
OAuth 2.0 Authentication Flow
To interact with the Assetpool API, you will need to authenticate using OAuth 2.0. The API requires a short-lived Bearer token that is obtained by logging in with your credentials, alongside your long-lived API key.
The login process involves sending a POST request with your username, password, and API key to the authentication endpoint. Upon successful login, the API will return an access token that can be used for subsequent requests. This token is valid for a limited time and must be refreshed periodically.
Example Login Flow
Here is an example of the authentication flow using CuRL:
curl -X POST "https://operational-api.v1.irl.assetpool.co/api/authentication/login" \
-H "Content-Type: application/json" \
-H "x-api-key: API_KEY" \
-d '{"username": "USER_EMAIL", "password": "PASSWORD"}'
When the login request is successful, the API will return a JSON payload containing the access token, its expiration time, and the token type. A sample response would look like this:
{
"accessToken": "access_token",
"expiresIn": 86400,
"tokenType": "Bearer"
}
The accessToken should be included in the Authorization header of subsequent API requests in the following format: x-api-token: access_token.