Authorization Flow

Get your server authorized to contact nutrition-api

PreviousNutrition-API NextAPI Request Setup

Last updated 1 year ago

Authorization Flow

Get your server authorized to contact nutrition-api

Access to the nutrition API has a few requirements. All of these can be fulfilled just with your license key.

Best Practices

Your api key should never be visible to customers. Your backend service which you are going to enhance with nutrition-api should be the only server ever requesting a token.

Keep your API Key Safe

It is your responsibility to keep your API key safe.

If you make this request on your client side, they will be able to see your API key in the headers, and abuse it.

Requesting the Token

In order to obtain your token for the API, you will need to send a request with your API key to our token service.

For example:

https://api.passiolife.com/v2/token-cache/napi/oauth/token/1i5eXnFpiRfiBGgLibonnBg10Ct14nALTAK5Jb6B4V4o

previously, this route was incorrectly registered as a GET request in our system, it has been corrected to a POST, but the GET has been maintained for backwards compatibility

The key values to note in the response are the access_token , customer_id , and the expires_in fields.

{
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImupZCI6InNab1FMT3oxMkRreHVLNVVVRUJBSCJ9.eyJpc3MiOiJodHRwczovL3Bhc3Npby1kZXYudXMuYXV0aDAuY29tLyIsInN1YiI6IkhvazRsdE1xWUNMVWc4MlhURjhTTVY1ejI1ckVHdlJEQGNsaWVudHMiLCJhdWQiOiJuYXBpIiwiaWF0IjoxNzA3ODU1OTAwLCJleHAiOjE3MDc5NDIzMDAsImF6cCI6IkhvazRsdE1xWUNMVWc4MlhURjhTTVY1ejI1ckVHdlJEIiwic2NvcGUiOiJyZWFkOnNlYXJjaCByZWFkOnByb2R1Y3RzIiwiZ3R5IjoiY2xpZW50LWNyZWRlbnRpYWxzIn0.M6pZGSaDhmF-KFoI5Rw3JCCWWuSgvYAoLV7tvAM3mesYR75Va2_C3xKaXx9jXfLXjWeFVunl9tSccus7ca1rPtmBQ4Kg4DMffcYJwv6INU72DspxajLpHsGQCxsyC53vSrgD173vJozB4Q4UEtlavTRbejS2rtOztv8b4cBV4jJBA03dBoJwrE0DwWb3d4mIXk6ZHh9NCOt0QQRt878DRZLJ50bF10U2RGsKf6rlQKyGDcvtRYCwnB2_hoIJel9EL9LzGY3nMUZaFuVkjvsBpbPxm5iCqfTDaTnijxsDMNbGGuNVxNUdtkPbLqaWQE7_LFuoaiqxXnDmk7DyxNkwfg",
    "scope": "read:search read:products",
    "expires_in": 86155.034762118,
    "token_type": "Bearer",
    "customer_id": "0d8bb889-36e1-11ee-b9e9-92e504c243a4"
}

Implement Refreshing

The token you receive from our service will have a time-stamp of its expiry.

Recommended Implementation:

Put your license key into your applications env using injection, and ideally a secret manager
Create a wrapper, or preflight check when sending requests to nutrition-api such that:
- If there is no current token, obtain one as documented below
- Anytime you collect a token, note the time it was gathered. The sum of the timestamp of receiving the response, and the expires_in duration is when your token will expire.
- Send new requests to refresh token as needed
All client requests should hit your API, which internally contacts nutrition-api

Required Headers

All incoming requests require that you have your Passio identifier in the request headers. Your customer id is returned with the token request once your API key has been validated, and can be pulled from the response to apply to your headers.

This is used to track usage and identify leaks. Any requests coming in with no identifier, or an invalid identifier will be rejected.

Authorization Header: you must provide your access_token in an authorization header with the prefix Bearer for example: {"Authorization": "Bearer <access_token here>"}
Passio Identification Header: you must provide your passio customer_id (either as returned with the token or as seen on your product dashboard) in a Passio-ID header

{
  "Authorization": "Bearer <access_token here>",
  "Passio-ID": "0d8bb889-36e1-11ee-b9e9-92e504c243a4"
}

Continue to API Request Setup to see code examples on making requests to nutrition-api