Key-Based Authentication and Authorization

The hub uses a bearer token to authenticate and authorize users. Use the token endpoint to log in with your access key and get a bearer token.

GET /token/{accessKey}

Results:

  "results": [
    {
      "token": "string",
      "expiration": "string",
      "notBefore": "string"
    }
  ]

The token string is then used in subsequent requests to the hub, in the Authorization HTTP header:

Authorization: Bearer [token string]

Tiered accessKey Structure

Three levels of access keys exist:

Hub Key

The Hub Key is used by the hub administrator to perform admin-level functions. The operations admin dashboard authenticates with this key.

Organization Key

When a showing vendor's use of the hub is activated by the hub admin, they're given an Organization Key. This key enables access to the endpoints about maintaining your Organization entity, and to manage the one or more Applications owned by the Organization.

Application Key

The Application key grants access to all of the API routes that are about actual workflows involving registering listings, handling restrictions, making and accepting appointments, etc. An application can edit itself, but not any other application, including "sibling" applications within the same Organization.

Per-Route Permissions

The level of key required for each route is described inside the Swagger interface, in the first line of the endpoint details.

Note that a Organization can't perform Application functions, despite owning those Applications. The data ownership context of the Application endpoints is derived from the logged-in Application, and an Organization might have more than one.