Authentication
Authentication is required for all requests to the in-person product's API endpoints. There are two authentication methods available:
- API Keys
- JWT (JSON Web Token)
API Keys
The Tenant will be issued with an API Key during onboarding and this API Key will be required in the header for each API request.
There are 3 header items that are required:
| Header | Description |
|---|---|
x-exi-auth-ver | Currently on the 1st version V1 |
x-tenant-id | A tenant Id will be supplied once created on the Stitch platform |
x-api-key | The API Key |
JWT (JSON Web Token)
JWT is a type of OAuth2 Bearer Token. The minimum requirement is the alg needs to be RS256, a kid to identify the public key for validation and obviously not expired (the value of the exp claim should be in the future).
The JWT must always be provided as an HTTP header. The Authorization header must be provided with the JWT as a Bearer token.
| Header | Description |
|---|---|
Authorization | Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6IC... |
A JWT for the in-person's terminal APIs can be issued in one of 2 ways:
- By a Stitch Tenant (preferred)
- By Stitch directly
JWT issued by a Stitch Tenant
In this model, the Stitch platform is not responsible for user management, the tenant has their own user authentication mechanism and users authenticate in this way.
The Tenant then generates a JWT from their system and this JWT is validated by Stitch using the Tenants' shared Public Key.
JWT issued by Stitch
A Tenant may not have a user management capability or may decide that user management via their system is not necessary.
In this case Stitch can create a key pair for the Tenant that will be used to create and verify JWTs on the basis of terminal serial number.