# Authentication
Currently, the primary authentication mechanism for most APIs is by means of an API key. Some newer APIs require an OAuth 2.0 bearer token. Each API will describe its authentication requirements.
# API Keys
The API keys are generated by Spur Corporation.
We can generate as many API keys as you need. Our guidance is to create a unique API key for each use case you have for an API or product. For example, don't use the same key for a mobile app for Spur and a website for RocoMamas. Rather use a different API key for each so that if the keys need to be regenerated, you don't need to change the keys in multiple places at once.
Once the keys have been created, we will communicate these with you. API keys are unique per environment. Keys intended for production will not work in staging and visa-versa.
Depending on what APIs you need access to, you may be assigned multiple API keys so please bear that in mind while designing an authentication strategy for the applications you are writing.
# Sending the API Key
The API key can be provided using an HTTP request header or a query string.
# HTTP Request Header
The API key can be sent via a HTTP request header called X-API-Key followed by the API key.
X-API-Key: your-api-key
# Query String
Alternatively, the API key can be provided as a query string parameter with the name api-key and the value as the key.
# Requesting a new Key
Should you need the API key to be changed for any reason, we have the ability to generate a secondary key that can be used alongside the primary key. You could implement the new key and once you are ready, we can remove the primary key.
Get in touch with us and we will assist.
# OAuth 2.0 Bearer Tokens
Some newer APIs will require an access token in the form of an OAuth 2.0 Bearer token. Providing an API key is not required when calling APIs protected in this way.
A valid bearer token must be provided in an Authorization header. The format of the header is Authorization: Bearer {accessToken} where accessToken is a valid access token.
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IlNKUFNpUi0zOVotcl...
Our SSO solutions provide endpoints to obtain access tokens to access the API endpoints on behalf of the customer as well as endpoints to refresh the access token when the current token expires. Details of these SSO solutions will be provided when you are granted access.
# Access to APIs
Access to the various APIs is controlled by Spur Corporation and is determined by the nature of the work the partner is contracted to carry out for us.
If you need access to an API, please request it via your contact at Spur Corporation and we will be in touch.