Otter API
Overview
The API endpoints are developed around RESTful principles secure via the OAuth2.0 protocol.
Beyond the entry points, the API also provides a line of communication into your system via webhooks.
For testing purposes, we offer a staging environment. Also, more detailed information about the business rules and workflows can be found on the Documentation Section
Versioning
Each API is versioned individually, but we follow these rules:
- Non breaking changes (eg: adding new fields) are added in the current version without previous communication
- Breaking changes (fields removal, semantic changed or schema update) have the version incremented
- Users will be notified about new versions and will be given time to migrate (the time will be set on a case by case basis)
- Once users migrate to the new version, we will deprecate the old ones
- Once there is a new version for an API, we won't accept new integrations targeting old versions
API General Definitions
The APIs use resource-oriented URLs communicating, primarily, via JSON and leveraging the HTTP headers, response status codes, and verbs.
To exemplify how the API is to be consumed, consider a fake GET resource endpoint invocation below:
curl --request GET 'https://{{public-api-url}}/v1/resource/123' \
--header 'Authorization: Bearer 34fdabeeafds=' --header 'X-Store-Id: 321'
| Header | Description |
|---|---|
Authorization | Standard HTTP header is used to associate the request with the originating invoker. The content of this header is a Bearer token generated from you client_secret, defined in the API Auth guide. |
X-Store-Id | The ID of the store in your system this call acts on behalf of. |
All resource endpoints expect the Authorization header, the remaining headers are explicitly stated in the individual endpoint documentation section.
With these headers, the system will:
- Validate the client token, making sure the call is originating from a trusted source.
- Validate that the Application has the permission to access the
v1/resource/{id}resource via the Application's pre-configured scopes. - Translate your X-Store-Id to our internal store ID (e.g.
AAA). - Validate and retrieve resource
AAA, that is associated to your Application via store id321.
POST/PUT methods will look similar to the GET calls, but they'll take in a body in the HTTP request (default to the application/json content-type).
curl --location --request POST 'https://{{public-api-url}}/v1/resource' \
--header 'Authorization: Bearer 34fdabeeafds=' --header 'X-Store-Id: 321'
--data '{"foo": "bar"}'
API Authentication/Authorization
<SecurityDefinitions />
Webhook
The Otter API is able to send notifications to your system via HTTP POST requests.
Every webhook is signed using HMAC-SHA256 that is present in the header X-HMAC-SHA256, and you can also authenticate the requests using Basic Auth, Bearer Token or HMAC-SHA1 (legacy). Please, refer to Webhook Authentication Guide for more details.
Please work with your Account Representative to setup your Application's Webhook configurations.
Example Base-URL = https://{{your-server-url}}/webhook
Notification Schema
| Name | Type | Description |
|---|---|---|
| eventId | string | Unique id of the event. |
| eventTime | string | The time the event occurred. |
| eventType | string | The type of event (e.g. create_order). |
| metadata.storeId | string | Id of the store for which the event is being published. |
| metadata.applicationId | string | Id of the application for which the event is being published. |
| metadata.resourceId | string | The external identifier of the resource that this event refers to. |
| metadata.resourceHref | string | The endpoint to fetch the details of the resource. |
| metadata.payload | object | The event object which will be detailed in each Webhook description. |
Notification Request Example
curl --location --request POST 'https://{{your-server-url}}/webhook' \
--header 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36' \
--header 'Authorization: MAC <hash signature>' \
--header 'Content-Type: application/json' \
--data-raw '{
"eventId": "123456",
"eventTime": "2020-10-10T20:06:02:123Z",
"eventType": "orders.new_order",
"metadata": {
"storeId": "755fd19a-7562-487a-b615-171a9f89d669",
"applicationId": "e22f94b3-967c-4e26-bf39-9e364066b68b",
"resourceHref": "https://{{public-api-url}}/v1/orders/bf9f1d81-f213-496e-a026-91b6af44996c",
"resourceId": "bf9f1d81-f213-496e-a026-91b6af44996c",
"payload": {}
}
}
Expected Response
The partner application should return an HTTP 200 response code with an empty response body to acknowledge receipt of the webhook event.
Rate Limiting
Please, refer to Rate Limiting Guide for more details.
Error codes
The APIs use standard HTTP status codes to indicate the success or failure of a request. Error codes are divided into two categories: 4XX codes for client-side errors and 5xx codes for server-side errors.
4XX Client-Side Errors
Client-side errors are indicated by status codes in the 4xx range. These errors are typically the result of a problem with the request made by your application. If a client-side error occurs, our API will return a response that includes an appropriate error message. This message will provide information about the cause of the error. The aim of these messages is to assist you in identifying and resolving the issue. For example, if you submit a request with missing or invalid parameters, you might receive a 400 Bad Request error with a message indicating which parameters were missing or incorrect.
5XX Server-Side Errors
Server-side errors are represented by status codes in the 5xx range. These errors suggest a problem with our server, not with your application's request. Server-side errors are typically transient, meaning they are temporary. If a server-side error occurs, we recommend that the client retries the same request with the exact same parameters. For example, if you get a 500 Internal Server Error, it's possible that our server is suffering a temporary problem. In such cases, retrying the request after a short delay is often successful. If you continually receive server-side errors, reach out to our support team for further assistance.
Authentication
- OAuth 2.0: OAuth2.0
The Authorization API is based on the OAuth2.0 protocol, supporting the (Client Credentials)[https://datatracker.ietf.org/doc/html/rfc6749#section-4.4] and the (Authorization Code)[https://datatracker.ietf.org/doc/html/rfc6749#section-4.1] flows. Resources expect a valid token sent as a Bearer token in the HTTP Authorization header.
Scopes
Scopes must be configured by our internal team to be enabled for an app. Once the scopes are configured they can be enabled on the Application Settings Page in Otter Developer Portal. Each endpoint requires a given scope that can be verified on each endpoint documentation. When generating an OAuth2.0 token multiple scopes can be requested.
Authorization Code Flow
To perform this flow, the authorization code flow must be enabled in the Application Settings Page in Otter Developer Portal. When enabling the flow it is mandatory to provide a redirect URI pointing to your application. Once the flow is complete we will redirect the user to this URI passing the 'code' and 'state' parameters. The Authorization Code flow provides a temporary code that the client application can exchange for an access token. To start the flow the application must request the user authorization. This is done by sending a request to https://{{public-api-url}}/v1/auth/oauth2/authorize. Example
curl --location 'https://{{public-api-url}}/v1/auth/oauth2/authorize?client_id=[CLIENT_ID]&redirect_uri=[REDIRECT_URI]&response_type=code&scope=organization.read&state=8A9D16B4C3E25F6A'
This call will return a 302 redirecting the user to our authorization page. If the user approves the application, we will redirect to configured URI passing the authorization code in the query parameter 'code'. The 'state' parameter is also sent to ensure the source of the data. With the authorization code, the client application can generate the token.
Client Credentials Flow
The client_credentials flow does not require any steps before generating the token. Once your application is ready, and the client_id and client_secret are available, the token can be generated by following the instructions in the next section.
Generate Token
To generate the token, use the Client ID and Client Secret (provided during onboarding), and optionally the authorization code obtained after performing the Authorization Code flow, to the Token Auth endpoint endpoint. The result of this invocation is a token that is valid for a pre-determined time or until it is manually revoked.
The access token obtained will be sent as a Bearer value of the Authorization HTTP header.
Client credentials in the request-body and HTTP Basic Auth are supported.
Request Example for client_credentials
curl --location --request POST 'https://{{public-api-url}}/v1/auth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'scope=ping' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=[APPLICATION_ID]' \
--data-urlencode 'client_secret=[CLIENT_SECRET]'
Request Example for authorization_code
curl --location --request POST 'https://{{public-api-url}}/v1/auth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'scope=ping' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'client_id=[APPLICATION_ID]' \
--data-urlencode 'client_secret=[CLIENT_SECRET]' \
--data-urlencode 'code=[code]' \
--data-urlencode 'redirect_uri=[redirect_uri]'
Response Example
{
"access_token": "oMahtBwBbnZeh4Q66mSuLFmk2V0_CLCKVt0aYcNJlcg.yditzjwCP7yp0PgR6AzQR3wQ1rTdCjkcPeAMuyfK-NU",
"expires_in": 2627999,
"scope": "ping orders.create",
"token_type": "bearer"
}
Token Usage
The token provided in field access_token is used to authenticate when consuming the API endpoints. Send the token value in the Authorization header of every request. The token expiration time is represented in the field expired_in, in seconds. Currently, all tokens are valid for 30 days and should be stored and re-used while still valid.
Note that occasionally, a 401 error may be returned for a valid token due to an internal service issue. Such occurrences should be rare. To prevent exposing potential vulnerabilities to attackers, the Otter API does not disclose other types of errors in the authentication flow if for any reason the token can't be validated (when it's a valid token then it's ok to return 5XX or other 4XX though - such as 403). In such scenarios, although the internal auth flow avoids retries to prevent attacks, if the token is known to be valid and not expired, a retry with a backoff interval by the client is advised. Another option is to request a new token.
Example
curl --location --request GET 'https://{{public-api-url}}/v1/ping' \
--header 'Authorization: Bearer <access_token>' \
--header 'X-Store-Id: <storeId>'
Security Scheme Type: | oauth2 |
|---|---|
OAuth Flow (clientCredentials): | Token URL: /v1/auth/token Scopes:
|
OAuth Flow (authorizationCode): | Token URL: /v1/auth/token Authorization URL: /v1/auth/oauth2/authorize Scopes:
|
License