How to authenticate on REST API

Mathieu Gerard
  • Updated
Follow

The Mapwize REST API allows to programmatically access and modify any object on the platform.

There are different options to get access to resources, depending on the type of operation.

Authenticate using API Keys

The preferred option for most use cases, including most client apps and server-side scripts, is to authenticate using the API Key. This prevents the need for a session and increases performance. Also, it is simpler to use.

API keys can be managed in Mapwize Studio, in the organization section (when you are not inside a venue).

READ API key

When the objective is to view Mapwize maps or read Mapwize data from a client's application, a READ API key should be used.

  • READ API keys should specify the access group that they are allowed to access. This provides a fine-grained permission level to a list of venues and universes.
  • In most conditions, READ API keys should "Restrict content to selected access group". This will prevent user sessions to interfere with the API key. If you are seeing more venues on your map than you should in your app because you are logged in on studio.mapwize.io, this is because you didn't select this option.
  • READ API keys also have the option to view or not the venues that have been made public on Mapwize.

The READ API key will only give access to objects that are supposed to be accessed to display and use maps. Other objects specific to account management will not be available at all.

WRITE API key

When the objective is to modify Mapwize data using the API, or to access data related to account management, a WRITE API key should be used.

WRITE API keys give access to all data from its organization. At this point, it is not possible to restrict the scope of a write key to a specific venue.

Authenticate using user login

If you develop an application where a user needs to log in, you can have them login to Mapwize using our /auth strategies and then use its session. This requires cookies to be handled on your side as they contain the session token.

This strategy should be used in combination with an API key with READ permissions and with "Restrict content to selected access group" FALSE.

Authenticating using Access Keys

If you develop an application where users can individually gain (temporary) access to venues, you could consider using Access Keys. In this case, you need to enable cookies so users get a session and then use the /access route to add access (list of venue/universe) dynamically to its session.

This strategy should be used in combination with an API key with READ permissions and with "Restrict content to selected access group" FALSE.

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk