.png){kind=small}
Authentication
The BOSS API uses a combination of the client credential flow and a subscription key to authenticate requests. BOSS consumers will use TAAS (Taylor Authorization and Authentication Services) to retrieve an OAuth 2.0 bearer token. The client credentials (to retrieve the bearer token) and the subscription key will be provided during the onboarding process.
The following diagram shows how the authentication works:
1. The application requests an access_token from the identity server by sending a request with its client_id, client_secret, scope and the grant_type (client_credentials).
2. The identity server authenticates the client and verifies that it has the necessary permissions to access the requested resources.
3. If the client is successfully authenticated, the authorization server issues an access_token, which the application can use to access the protected resources on the service.
4. The application sends the subscription key and the access_token in the Authorization header of subsequent requests to the service's resource server and the server grants access if the token is valid.
Access Token Request Details
Environment URLs
See the appendix
The service endpoints will by default support 120 requests per minute per client. Any request beyond that will return a 429 HTTP error.
Access Token Request Example
The examples below show how to request the access_token. The property ‘access_token’ is what needs to be extracted from the JSON response. This value will be used in the Authorization header when calling the API endpoints.
The expiration of the tokens is defined in the field ‘expires_in’ (3600 = 1 hour). You will want to persist the token for its lifetime to make your application more performant.
Curl Example
Subscription Key
The subscription key is provided during the onboarding process and is used in combination with the access_token when making a call against the BOSS API the curl
The curl example below shows the use of the subscription key (Ocp-Apim-Subscription-Key) when performing a call against the API.
Scopes
BOSS API scopes are used to define the level of access for specific resources. They server as a security mechanism to restrict access to certain parts of the API. Scopes are defined in the Identity Service Provider and can be requested by the client during the authentication process. The table below describes the different scopes for the BOSS API.
POST Order with Configuration: API call used to submit an order for an item with variable details (e.g.: Personalized business cards or gift card holders not ordered through a navINK configurator).
Operation: POST (Submit Order with Configurations/Specs)
TAAS SCOPE: tc_darkseid_auth_order_create and tc_bosapi_auth_order_create
Common TAAS Errors
If you receive an error connection to TAAS you will like get a 401 Error Code. The following response bodies outline what might be the issue and who to contact.
