System interaction
This page aims to explain the flow of how when accessing the Catalogue API by explaining the different types of Tokens and when to use which.
There are two different ways to access the Catalogue API. Which one you will use depends on if you are using a Private AccessToken or a Public AccessToken.
The main difference between a Private AccessToken and a Public AccessToken is that a Private AccessToken should never be used in your client code. You should have your own server which will use the Private AccessToken to authenticate users. This will make it possible for you to add more security around the authentication call.
Overview
- Public AccessToken
- Private AccessToken
A Public AccessToken can be used client side, which removes the need to setup your own server in order to keep the Token secret.
The first step is to obtain a SessionToken. When using a Public AccessToken this is done through the Catalogue API instead of the Catalogue Auth API. After having recieved a SessionToken the process is the same as for a Private AccessToken.
The following sequence diagram displays an overview for accessing Catalogue API with a Public AccessToken.
The sequence diagram below displays an overview of how to access the Catalogue API.
The first step is to obtain a SessionToken. This should done by your backend server by using your Private AccessToken to request a SessionToken from the Catalogue Auth API. The SessionToken is then sent to your client which in turn uses it in every request it makes to the Catalogue API.
Note that the SessionToken has a limited lifetime before it expires. When that happens, you will have to repeat the authorization steps in order to obtain a new SessionToken that your backend server can provide to the client in order for it to continue making Catalogue API requests.
The implementation details on how your client communicates with your backend server is fully up to you. But remember that the Private AccessToken must remain protected in your backend server and never be sent to, stored in, or otherwise used by your client code.
Cache data
You are forbidden to cache api data on your servers. For more info read our FAQ.