Tradecloud API v2 manual
  • Introduction
    • Welcome
      • Checklist
      • Support
    • API
      • Rules
      • Requests
      • JSON versus XML
      • Environments
      • Standards
      • Compatibility
      • Tools
        • Swagger UI
        • Postman
        • .NET SDK
      • Webhook versus polling
        • Polling usage
        • Polling echo
      • Delivery schedule
    • Security
      • Security overview
      • Authentication
      • Authorization
      • Encryption
      • Document storage
  • Guide
    • 1. Getting an Account
    • 2. Sending your first order
      • Option A: Sending a Delivery Schedule per order line
      • Option B: Sending a Single Delivery per order line
  • Processes
    • Forecasts
      • Issue a new forecast
      • Issue a new Slimstock forecast
    • Orders
      • Buyer order process
        • Issue a new order
          • Delivery schedule
          • Indicators
          • No delivery expected
          • Propose when accepted
          • Attach a document to an order
          • Choose attach document API
        • Update an existing order
        • Receive an order response
          • Download a document attached to an order response
          • Single delivery order response
        • Receive goods
        • Complete an order
        • Reopen an order
        • Cancel an order
      • Supplier order process
        • Receive an order
          • Download a document attached to an order
          • Single delivery order
        • Send order response
          • Attach a document to an order response
        • Reopen an order
        • Cancel an order
    • Shipments
      • Supplier shipment process
        • Send despatch advice
      • Buyer shipment process
        • Receive a shipment event
          • Download a document attached to a shipment
Powered by GitBook
On this page
  • Basic Authentication upon every request
  • How to Authenticate
  • Basic Authentication with JSON Web Tokens
  • Authenticate
  • Authorize
  • Refreshing the token
  • Log out
  1. Introduction
  2. Security

Authentication

How to use JSON Web Tokens

PreviousSecurity overviewNextAuthorization

Last updated 6 months ago

The api-connector, object-storage/document, order-search/poll and shipment/poll integration API's support two means of authentication:

  • Using "Basic" HTTP authentication scheme () upon every HTTP request.

  • Using "Basic" HTTP authentication scheme () to obtain a (). The JWT is used for authentication for all following requests.

Only an integration user is authorised to access the integration API's.

Please contact to assign the integration role to your integration user.

Basic Authentication upon every request

You can use the Basic HTTP Authentication scheme to authenticate upon every request.

Pro: this is a simple authentication method, supported by all integrations

Con's:

  • The response time is long, average 1 second, up to 3 seconds.

  • It is only supported by api-connector, object-storage/document, order-search/poll and shipment/poll API's, not by other service API's.

Use Basic Authentication upon every request only when:

  • You send one order or response occasionally; less then 1 per minute.

  • And you do not need to integrate with other API's, like the user and company API's

  • Or when your integration system does not support

How to Authenticate

You can authenticate using a Basic Authorization HTTP header with a base 64 encoded email and password:

// Example request method and URI
POST https://api.accp.tradecloud1.com/v2/api-connector/order
// Request headers:
Authorization: Basic <<Email>:<Password> base64 encoded>

Basic Authentication with JSON Web Tokens

  1. Use the Basic HTTP Authentication scheme to authenticate against the authentication service.

  2. Use the returned JWT to authorize against the Tradecloud api-connector and other service API's for all subsequent requests.

Pro's:

  • Faster response time (except for the initial authentication), average 200ms

  • It is supported by all connector and service API's

Con: this is a more complex authentication and authorization method

Use JSON Web Tokens when:

  • You send batches of orders or responses; more then 1 per minute

  • Or when you need additional API's, like the user and company API's

Authenticate

You can log in using a Basic Authorization HTTP header with a base 64 encoded email and password:

// Request method and URI
GET https://api.accp.tradecloud1.com/v2/authentication/login
// Request headers:
Authorization: Basic <<Email>:<Password> base64 encoded>
// Response code:
200
// Response headers:
Set-Authorization: <Access-Token>
Set-Refresh-Token: <Refresh-Token>

Authorize

Use a Bearer Authorization HTTP header with the access token in each request:

// Example request method and URI
POST https://api.accp.tradecloud1.com/v2/api-connector/order
// Request headers:
Authorization: Bearer <Access-Token>

Refreshing the token

An access token will expire after 1 hour and a refresh token after 24 hours. When your access token has expired you have to use the refresh token. If your refresh token expires you have to log in again.

You can refresh your access token by placing an HTTP request to /authentication/refresh, using only the Refresh-Token header. Do NOT use the Authorization header.

// Example request method and URI
GET https://api.accp.tradecloud1.com/v2/authentication/refresh
// Request headers:
Refresh-Token: <Refresh-Token>

When the refresh token is valid, the API will return HTTP status code 200 OK and containing a new access token and a new refresh token. Otherwise, the API will return HTTP status code 401 Unauthorized

// Response code:
200
// Response headers:
Set-Authorization: <Access-Token>
Set-Refresh-Token: <Refresh-Token>

The refresh token cannot be used once it is expired or a new refresh token is generated.

Log out

Log out will invalidate the refresh token immediately. The access token will expire after 10 minutes.

You can invalidate your refresh token by placing an HTTP request to /authentication/logout, using only the Refresh-Token header. Do NOT use the Authorization header.

// Example request method and URI
POST https://api.accp.tradecloud1.com/v2/authentication/logout
// Request headers:
Refresh-Token: <Refresh-Token>
// no body

When correctly authenticated, your request will be processed and if all is well, the response will have OK

When NOT correctly authenticated, the response will return Unauthorized

In case of some server issue, including the upstream authentication service being unreachable, the response will return Internal Server Error

When correctly authenticated, the response will return OK and contain access and refresh tokens:

When NOT correctly authenticated, the response will return Unauthorized

in yaml format

When correctly authenticated, your request will be processed and if all is well, the response will have OK

RFC 7617
RFC 7617
JSON Web Token
RFC 7519
support@tradecloud1.com
JSON Web Tokens
RFC 7519
HTTP status code 200
HTTP status code 401
HTTP status code 500
HTTP status code 200
HTTP status code 401
Authentication OpenAPI specification
HTTP status code 200