Authorization

This documentation provides an overview of twinzo's two API authorization methods - Device OAuth and static token, along with the request signing process for authorized requests. With this information, developers can effectively implement authorization and request signing to securely integrate third-party data sources with twinzo's API endpoint.

Device OAuth

• The Device OAuth method enables authorization per device using a login and password combination. Developers can add login and password credentials in the device edit form, as described in the previous chapters.

• To send authentication requests with credentials and client name, developers can use the following endpoint:

  • Enterprise: https://api.twinzo.eu/swagger/ui/index#!/Authorization/Authorization_Authenticate (select API v3)

  • Platform: https://api.platform.twinzo.eu/swagger/ui/index#!/Authorization/Authorization_Authenticate (select API v3)

Open

• Each token has an expiration, but it can be refreshed with a dedicated method available at:

  • Enterprise: https://api.twinzo.eu/swagger/ui/index#!/Authorization/Authorization_RefreshToken

  • Platform: https://api.platform.twinzo.eu/swagger/ui/index#!/Authorization/Authorization_RefreshToken

Open

Static Token

Alternatively, developers can generate a static token to sign every request with the same server key. This method is recommended only for server-to-server communication, as it is less secure than Device OAuth.

Request Signing

• Each authorized request must be signed with the proper token, which should be included in requests via specific HTTP Header values.

• To identify the proper client, headers must also include the Client and Branch GUID key.

• Developers can find the Branch GUID in the list of branches in the Places section, and the Client GUID is displayed in the Settings in the Client tab.