Authentication
To use our APIs you need to authenticate using a tenant-specific URL. These are https://{your-tenant-id}.login-test.futureordering.com and https://{your-tenant-id}.login.futureordering.com respectively for test and prod scenarios. You retrieve a token using the Client Credentials Flow for OAuth 2.0.
Token retrieval
Tokens MUST be cached. New tokens MUST NOT be retrieved for each new request.
There are requirements around token handling. Tokens MUST be cached. The token expires after a period of time. The lifetime of a token, the time until the token expires, is generally one hour, but may differ per Client. It is recommended to proactively retrieve a new token when approximately 75% of the token lifetime has passed, e.g. after 45 minutes. New tokens MUST NOT be retrieved for each new request. Frequent retrieval of new tokens may trigger rate limiting and cause your implementation to not function properly.
Tokens should be handled as secrets
The token is used to authenticate and authorize requests and should therefore be considered a sensitive value. Consider the security implications of actions performed with a token, e.g. storing to database, sending in query strings, etc.
OAuth scopes
In order for a token to work, it is needed to know which components it will be used for and request a token with the corresponding scopes.
Each endpoint will declare what permissions it requires in the technical reference for the endpoint. If the endpoint documentation doesn't state which permissions you need for the request you want to do, please contact your technical representative at Future Ordering for assistance.