API security

The Antavo Loyalty Cloud communicates with client systems through API requests. Properly securing these API requests protects personal data and helps prevent fraudulent behavior.

For general data compliance information, please refer to the relevant section of the documentation.

HTTPS

All API requests sent to Antavo should use HTTPS. Tunnel-level encryption via HTTPS prevents man-in-the-middle and eavesdropping attacks, ensuring in-transit security and integrity. If an unencrypted HTTP request is sent, the server automatically redirects it to a secure HTTPS connection. However, this redirection might cause issues in server configuration or framework, therefore it is recommended to always use HTTPS to avoid complications.

API credentials

The Antavo Loyalty Cloud uses an API key and secret to authenticate and sign requests. These credentials must be generated through the API settings of the Management UI for each workspace. The API key remains visible on the settings page, but the secret is only displayed once, immediately upon generation. Therefore, it’s crucial to securely save the secret as it will not be retrievable later.

Users with the necessary clearance can inspect or re-generate the API key and secret pair.

Signing API Requests

To ensure safe identification and data integrity, API requests to the Antavo Loyalty Cloud must be signed. Requests should be signed using an Antavo API key and secret, along with a timestamp and other request-specific metadata. This ensures the request originates from the authorized client, the transmitted data is not modified during transit, and the request arrives only once within a specific time window. The API Signing protocol can be found in the API signing document.

🚧

Note

Signed requests are the only way to access information from APIs in production environments.