Skip to main content
Version: v1

Otter API

Overview

The API endpoints are developed around RESTful principles secure via the OAuth2.0 protocol.

Beyond the entry points, the API also provides a line of communication into your system via webhooks.

For testing purposes, we offer a staging environment. Also, more detailed information about the business rules and workflows can be found on the Documentation Section

Versioning

Each API is versioned individually, but we follow these rules:

  • Non breaking changes (eg: adding new fields) are added in the current version without previous communication
  • Breaking changes (fields removal, semantic changed or schema update) have the version incremented
  • Users will be notified about new versions and will be given time to migrate (the time will be set on a case by case basis)
  • Once users migrate to the new version, we will deprecate the old ones
  • Once there is a new version for an API, we won't accept new integrations targeting old versions

API General Definitions

The APIs use resource-oriented URLs communicating, primarily, via JSON and leveraging the HTTP headers, response status codes, and verbs.

To exemplify how the API is to be consumed, consider a fake GET resource endpoint invocation below:

curl --request GET 'https://{{public-api-url}}/v1/resource/123' \
--header 'Authorization: Bearer 34fdabeeafds=' --header 'X-Store-Id: 321'
HeaderDescription
AuthorizationStandard HTTP header is used to associate the request with the originating invoker. The content of this header is a Bearer token generated from you client_secret, defined in the API Auth guide.
X-Store-IdThe ID of the store in your system this call acts on behalf of.

All resource endpoints expect the Authorization header, the remaining headers are explicitly stated in the individual endpoint documentation section.

With these headers, the system will:

  • Validate the client token, making sure the call is originating from a trusted source.
  • Validate that the Application has the permission to access the v1/resource/{id} resource via the Application's pre-configured scopes.
  • Translate your X-Store-Id to our internal store ID (e.g. AAA).
  • Validate and retrieve resource AAA, that is associated to your Application via store id 321.

POST/PUT methods will look similar to the GET calls, but they'll take in a body in the HTTP request (default to the application/json content-type).

curl --location --request POST 'https://{{public-api-url}}/v1/resource' \
--header 'Authorization: Bearer 34fdabeeafds=' --header 'X-Store-Id: 321'
--data '{"foo": "bar"}'

API Authentication/Authorization

<SecurityDefinitions />

Webhook

The Otter API is able to send notifications to your system via HTTP POST requests.

Every webhook is signed using HMAC-SHA256 that is present in the header X-HMAC-SHA256, and you can also authenticate the requests using Basic Auth, Bearer Token or HMAC-SHA1 (legacy). Please, refer to Webhook Authentication Guide for more details.

Please work with your Account Representative to setup your Application's Webhook configurations.

Example Base-URL = https://{{your-server-url}}/webhook

Notification Schema

NameTypeDescription
eventIdstringUnique id of the event.
eventTimestringThe time the event occurred.
eventTypestringThe type of event (e.g. create_order).
metadata.storeIdstringId of the store for which the event is being published.
metadata.applicationIdstringId of the application for which the event is being published.
metadata.resourceIdstringThe external identifier of the resource that this event refers to.
metadata.resourceHrefstringThe endpoint to fetch the details of the resource.
metadata.payloadobjectThe event object which will be detailed in each Webhook description.

Notification Request Example

curl --location --request POST 'https://{{your-server-url}}/webhook' \
--header 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36' \
--header 'Authorization: MAC <hash signature>' \
--header 'Content-Type: application/json' \
--data-raw '{
"eventId": "123456",
"eventTime": "2020-10-10T20:06:02:123Z",
"eventType": "orders.new_order",
"metadata": {
"storeId": "755fd19a-7562-487a-b615-171a9f89d669",
"applicationId": "e22f94b3-967c-4e26-bf39-9e364066b68b",
"resourceHref": "https://{{public-api-url}}/v1/orders/bf9f1d81-f213-496e-a026-91b6af44996c",
"resourceId": "bf9f1d81-f213-496e-a026-91b6af44996c",
"payload": {}
}
}

Expected Response

The partner application should return an HTTP 200 response code with an empty response body to acknowledge receipt of the webhook event.

Rate Limiting

Please, refer to Rate Limiting Guide for more details.

Error codes

The APIs use standard HTTP status codes to indicate the success or failure of a request. Error codes are divided into two categories: 4XX codes for client-side errors and 5xx codes for server-side errors.

4XX Client-Side Errors

Client-side errors are indicated by status codes in the 4xx range. These errors are typically the result of a problem with the request made by your application. If a client-side error occurs, our API will return a response that includes an appropriate error message. This message will provide information about the cause of the error. The aim of these messages is to assist you in identifying and resolving the issue. For example, if you submit a request with missing or invalid parameters, you might receive a 400 Bad Request error with a message indicating which parameters were missing or incorrect.

5XX Server-Side Errors

Server-side errors are represented by status codes in the 5xx range. These errors suggest a problem with our server, not with your application's request. Server-side errors are typically transient, meaning they are temporary. If a server-side error occurs, we recommend that the client retries the same request with the exact same parameters. For example, if you get a 500 Internal Server Error, it's possible that our server is suffering a temporary problem. In such cases, retrying the request after a short delay is often successful. If you continually receive server-side errors, reach out to our support team for further assistance.

Authentication

The Authorization API is based on the OAuth2.0 protocol, supporting the (Client Credentials)[https://datatracker.ietf.org/doc/html/rfc6749#section-4.4] and the (Authorization Code)[https://datatracker.ietf.org/doc/html/rfc6749#section-4.1] flows. Resources expect a valid token sent as a Bearer token in the HTTP Authorization header.

Scopes

Scopes must be configured by our internal team to be enabled for an app. Once the scopes are configured they can be enabled on the Application Settings Page in Otter Developer Portal. Each endpoint requires a given scope that can be verified on each endpoint documentation. When generating an OAuth2.0 token multiple scopes can be requested.

Authorization Code Flow

To perform this flow, the authorization code flow must be enabled in the Application Settings Page in Otter Developer Portal. When enabling the flow it is mandatory to provide a redirect URI pointing to your application. Once the flow is complete we will redirect the user to this URI passing the 'code' and 'state' parameters. The Authorization Code flow provides a temporary code that the client application can exchange for an access token. To start the flow the application must request the user authorization. This is done by sending a request to https://{{public-api-url}}/v1/auth/oauth2/authorize. Example

curl --location 'https://{{public-api-url}}/v1/auth/oauth2/authorize?client_id=[CLIENT_ID]&redirect_uri=[REDIRECT_URI]&response_type=code&scope=organization.read&state=8A9D16B4C3E25F6A'

This call will return a 302 redirecting the user to our authorization page. If the user approves the application, we will redirect to configured URI passing the authorization code in the query parameter 'code'. The 'state' parameter is also sent to ensure the source of the data. With the authorization code, the client application can generate the token.

Client Credentials Flow

The client_credentials flow does not require any steps before generating the token. Once your application is ready, and the client_id and client_secret are available, the token can be generated by following the instructions in the next section.

Generate Token

To generate the token, use the Client ID and Client Secret (provided during onboarding), and optionally the authorization code obtained after performing the Authorization Code flow, to the Token Auth endpoint endpoint. The result of this invocation is a token that is valid for a pre-determined time or until it is manually revoked.

The access token obtained will be sent as a Bearer value of the Authorization HTTP header.

Client credentials in the request-body and HTTP Basic Auth are supported.

Request Example for client_credentials

curl --location --request POST 'https://{{public-api-url}}/v1/auth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'scope=ping' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=[APPLICATION_ID]' \
--data-urlencode 'client_secret=[CLIENT_SECRET]'

Request Example for authorization_code

curl --location --request POST 'https://{{public-api-url}}/v1/auth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'scope=ping' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'client_id=[APPLICATION_ID]' \
--data-urlencode 'client_secret=[CLIENT_SECRET]' \
--data-urlencode 'code=[code]' \
--data-urlencode 'redirect_uri=[redirect_uri]'

Response Example

{
"access_token": "oMahtBwBbnZeh4Q66mSuLFmk2V0_CLCKVt0aYcNJlcg.yditzjwCP7yp0PgR6AzQR3wQ1rTdCjkcPeAMuyfK-NU",
"expires_in": 2627999,
"scope": "ping orders.create",
"token_type": "bearer"
}

Token Usage

The token provided in field access_token is used to authenticate when consuming the API endpoints. Send the token value in the Authorization header of every request. The token expiration time is represented in the field expired_in, in seconds. Currently, all tokens are valid for 30 days and should be stored and re-used while still valid.

Note that occasionally, a 401 error may be returned for a valid token due to an internal service issue. Such occurrences should be rare. To prevent exposing potential vulnerabilities to attackers, the Otter API does not disclose other types of errors in the authentication flow if for any reason the token can't be validated (when it's a valid token then it's ok to return 5XX or other 4XX though - such as 403). In such scenarios, although the internal auth flow avoids retries to prevent attacks, if the token is known to be valid and not expired, a retry with a backoff interval by the client is advised. Another option is to request a new token.

Example

curl --location --request GET 'https://{{public-api-url}}/v1/ping' \
--header 'Authorization: Bearer <access_token>' \
--header 'X-Store-Id: <storeId>'

Security Scheme Type:

oauth2

OAuth Flow (clientCredentials):

Token URL: /v1/auth/token

Scopes:

  • catalog: Permission to interact with product inventory for existing stores.

  • delivery.provider: Permission to provide delivery services for existing orders.

  • finance: Permission to provide financial data for orders/stores.

  • manager.menus: Permission to manage menus.

  • manager.orders: Permission to manage orders.

  • manager.storefront: Permission to manage storefront.

  • menus.async_job.read: Permission to read the status of a menu upsert job.

  • menus.entity_suspension: Permission to notify the result of a menu entity availability update, after being requested by a webhook event.

  • menus.get_current: Permission to send the current state of a menu, after being requested by a webhook event.

  • menus.publish: Permission to notify the result of a publish menus operation for a given store.

  • menus.read: Permission to read the current menus for a given store.

  • menus.upsert: Permission to create/update menus for a given store.

  • menus.upsert_hours: Permission to notify the receiving of the upsert hours menu event, after being requested by a webhook event.

  • orders.create: Permission to create new order for a given store.

  • orders.read: Permission to read orders and connected data.

  • orders.update: Permission to create and update new orders for a given store.

  • ping: Permission to ping the system.

  • reports.generate_report: Permission to request reports for given store(s) and period of time.

  • reviews.reply: Permission to reply to reviews.

  • storefront.store_pause_unpause: Permission to notify the result of a pause/unpause operation, after being requested by a webhook event.

  • storefront.store_availability: Permission to send the current state of store.

  • storefront.store_hours_configuration: Permission to send the current store hours configuration.

  • stores.manage: Permission to onboard stores and update the identifier.

  • callback.error.write: Token has permission to send failed webhook event results.

  • manager.loyalty: Permission to interact with loyalty services.

  • direct.orders: Permission to interact with direct order services.

  • store.read: Permission to query store information.

OAuth Flow (authorizationCode):

Token URL: /v1/auth/token

Authorization URL: /v1/auth/oauth2/authorize

Scopes:

  • organization.read: Permission to read data for organization/brands/stores on behalf of a user.

  • organization.service_integration: Permission to manage the your integration with a given store on behalf of a user.

License