Skip to main content

Authentication flow

The LetsGetChecked B2B API uses the OAuth 2.0 protocol for authentication and authorization.

Request an access token

LetsGetChecked provides your credentials securely for each of the environments that you access.

Applications use access tokens to make API requests on behalf of a user. The access token represents the authorization of a specific application to access specific parts of a user’s data.

To request a valid API access token, submit the access key, secret keys, and the client_credentials grant type, provided by LetsGetChecked, to the LetsGetChecked’s OAuth2 endpoint.

Access keys consist of two parts: an access key ID and a secret access key. Use both the access key ID and secret access key together to authenticate your requests. Access keys and secret access keys are both an alpha-numeric string of 25 characters.

The client-credentials grant type is used when applications request an access token to access their resources, not on behalf of a user.

Successful operations return a response including the access token, in the form of a JSON Web Token (JWT), and the validity of the access token.

Sample request

//Replace access key and secret key accordingly.
curl -X POST --user <access key>:<secret key> '{LGC-API}/oauth2/token?grant_type=client_credentials&scope=orders%2Ffull'
-H 'Content-Type: application/x-www-form-urlencoded'

Using access tokens

Use bearer authentication to complete API operations, by including the returned access token as a bearer token. Ensure that the bearer token is not expired. If there are any issues with the token, the API returns an HTTP 401 Unauthorized status code. For more information, see Error codes.

Sample request

//Replace the <clientId>, <clientOrderId>, <access_token> and JSON payload accordingly.
curl -X PUT '{LGC-API}/<clientId>/order/<clientOrderId>' -H
'Content-Type: application/json' -H 'Authorization:<access_token>' -d '{}'