Developer guides
Privacy policy

API security

The Antavo Loyalty Cloud communicates with client systems through API requests.

Properly securing these API requests protects personal data and helps prevent fraudulent behavior. Depending on the type of API endpoint, different authentication and authorization mechanisms are used to ensure secure communication.

For general data compliance information, please refer to the relevant section of the documentation.

HTTPS

All API requests sent to Antavo should use HTTPS. Tunnel-level encryption via HTTPS prevents man-in-the-middle and eavesdropping attacks, ensuring in-transit security and integrity. If an unencrypted HTTP request is sent, the server automatically redirects it to a secure HTTPS connection. However, this redirection might cause issues in server configuration or framework, it is strongly recommended to always use HTTPS to avoid complications.

API credentials

Credentials are used to authenticate client applications when accessing Antavo APIs.

Credentials are generated through the API settings of the Management UI for each workspace. Users with the necessary permissions can inspect or generate new credentials at any time. Depending on the authentication mechanism, these credentials are used either directly for request signing or to obtain an access token.

Authentication methods

Antavo APIs support different authentication mechanisms depending on the API endpoint.

Some APIs require request signing using an API key and secret, while others use token-based authentication.

API request signing

Many existing Antavo APIs require request signing using an API key and secret.

API credentials must be generated through the API settings of the Management UI for each workspace. The API key remains visible on the settings page, but the secret is only displayed once, immediately upon generation. For this reason, the secret must be securely stored, as it cannot be retrieved later.

To ensure safe identification and data integrity, API requests must be signed using the API key and secret, along with a timestamp and other request-specific metadata. This mechanism ensures that:

  • the request originates from an authorized client
  • the transmitted data is not modified during transit
  • the request is accepted only once within a defined time window

The detailed signing process is described in the API signing document.

🚧

Important

Request signing is always required to access key-based APIs in production environments.

Token-Based Authentication (OAuth 2.0)

Some APIs use token-based authentication instead of request signing via the v1/auth/token endpoint .

📘

Note

Currently, this authentication method is required for the Async Events API. Additional APIs may adopt this approach in the future.

Access tokens are issued via an OAuth 2.0 token endpoint using the Client Credentials grant type. To obtain an access token, clients authenticate using their client credentials generated through the API settings of the Management UI and request the appropriate scopes.

The issued access token must be included in subsequent API requests using the Authorization header:

Authorization: Bearer <access_token>