Authorization
This documentation provides an overview of twinzo's two API authorization methods - Device OAuth and static token, along with the request signing process for authorized requests. With this information, developers can effectively implement authorization and request signing to securely integrate third-party data sources with twinzo's API endpoint.
Device OAuth
The Device OAuth method enables authorization per device using a login and password combination. Developers can add login and password credentials in the device edit form, as described in the previous chapters.
To send authentication requests with credentials and client name, developers can use the following endpoint:
Enterprise: https://api.twinzo.eu/swagger/ui/index#!/Authorization/Authorization_Authenticate (select API v3)
Platform: https://api.platform.twinzo.eu/swagger/ui/index#!/Authorization/Authorization_Authenticate (select API v3)
Upon a successful request, the developer will receive a token with an expiration date. Every authorized request on API functions must be signed with an active token or API Key.
Each token has an expiration, but it can be refreshed with a dedicated method available at:
Static Token
Alternatively, developers can generate a static token to sign every request with the same server key. This method is recommended only for server-to-server communication, as it is less secure than Device OAuth.
If a third-party system is sending data from distributed devices, it is strongly recommended not to use static tokens for client devices.
Request Signing
Each authorized request must be signed with the proper token, which should be included in requests via specific HTTP Header values.
To identify the proper client, headers must also include the Client and Branch GUID key.
Developers can find the Branch GUID in the list of branches in the Places section, while the Client GUID is obtained via registration through a Twinzo support contact.