API Reference
Start typing to search…

Authorization


Vendy authenticates your API requests using your permanent Access Key and Secret Key . All API requests must be made over HTTPS and include an Authorization header with your credentials . This method is used to simplify integration by removing the need to generate and refresh temporary tokens, and requests made over plain HTTP will fail .

How to Authenticate

Vendy uses HTTP Basic Authentication, a standard scheme for sending credentials . You will use your AccessKey as the username and your SecretKey as the password .

KeyDescription
AccessKeyYour unique public identifier, found in the Settings page of your Vendy dashboard .
SecretKeyYour private credential. Never share this key, as it is found in the Settings page of your Vendy dashboard .

To authenticate a request, you must follow these steps:

  1. Combine your AccessKey and SecretKey into a single string, separated by a colon (:).
    • Format: AccessKey:SecretKey .
  2. Base64-encode the resulting string .
  3. Provide the encoded string in the Authorization header with the Basic scheme .
    • Format: Authorization: Basic <base64_encoded_string> .

Example Request

Here is an example using curl to make an authenticated request .

# 1. Your keys
ACCESS_KEY="YOUR_ACCESS_KEY"
SECRET_KEY="YOUR_SECRET_KEY"

# 2. Combine and Base64-encode the keys
ENCODED_KEYS=$(echo -n "$ACCESS_KEY:$SECRET_KEY" | base64)

# 3. Make the API call with the Authorization header
curl -X GET "https://api.vendy.com/v1/your-endpoint" \
  -H "Authorization: Basic $ENCODED_KEYS" \
  -H "Content-Type: application/json"

Server and Response Behavior

All requests must be sent server-to-server, and your app or website should never communicate directly with Vendy APIs, as this would expose your Secret Key .

  • If you are authorized, the resource server will return the requested information with a 2xx status code .
  • If your credentials are incorrect or you are not authorized, the server will return a 4xx error message .

Protecting Your API Keys

Your AccessKey and SecretKey provide direct, permanent access to your account and should be protected with the same level of security as your main account password . Anyone with your keys can perform constructive and destructive actions, including initiating withdrawals and modifying account data .

Follow these best practices to keep your keys secure :

  • Do not store API keys in your application's source control (e.g., Git, BitBucket) .
  • If you use configuration files, keep them outside your version control system .
  • Do not embed API keys directly in your code; use environment variables or a secrets management service to inject them at runtime .
  • Limit employee access to production API keys to only necessary personnel .
  • Do not expose your keys in client-side code (e.g., JavaScript in a web browser) . All API calls must originate from a secure backend server .