Skip to content

Developers

How can we help you?

← Go back

Authentication of API users

Our APIs use RFC2617 standard digest for authentication.

In order to use our APIs (to perform create, retrieve, update, and delete actions) a special API user (that we call a robot user) needs to be created within your BeBanjo or Sequence account. There can be as many robot users as required, so that different parties that need to access the account via the API can all have different logins and passwords.

Authentication will take place with the robot user’s login and password. If you have cURL installed, you can try your new robot user credentials on a terminal.

Here is how you would do this for the BeBanjo API:

$ curl --digest -u robot_user:password https://movida.bebanjo.net/api

Note that https://movida.bebanjo.net is the URL of the BeBanjo production environment. The URL of the staging environment is https://staging-movida.bebanjo.net/ and the URL of the preproduction environment is https://preproduction-movida.bebanjo.net/.

You should be prompted for a password. Enter it, and if you authenticated correctly, the response should be a valid XML.

Note: A robot user cannot login to the BeBanjo applications using a web browser, and a normal user cannot fully utilise the API; see the API browser section below for more details.

Nonce re-using

Digest authentication requires a negotiation with the server to obtain a valid nonce token.

This negotiation makes the communications slower because clientes need to duplicate the requests. In order to leverage the communication and improve the performance our applications support nonce token re-using for a period of 5 minutes. In this way, a valid nonce obtained from the server can be used during 5 minutes without having to negotiate a new one.

This duration of 5 minutes is a value that we are not planning to change, but in order to make your integration more resilient you could probably implement a fall-back mechanism when using a cached nonce to automatically get a new one when it has expired.

API browser

A regular BeBanjo application username can be used to access the API with a web browser, but the user can only perform retrieve actions (i.e. it’s read-only access).

To do this, simply log into the BeBanjo or Sequence applications as usual (via our ID application) and then change the URL shown in the location of the web browser by adding /api to the path after the hostname.

For example, in BeBanjo, changing https://movida.bebanjo.net/catalog to https://movida.bebanjo.net/api will show you the root of the BeBanjo API in your web browser and you can follow the links to explore the API.

TLS

TLS connections are required in order to access BeBanjo API. Communicating over TLS preserves user privacy by protecting information between the user and the BeBanjo API as it travels across the public Internet.

BeBanjo’s TLS certificate for *.bebanjo.net is signed by Sectigo Limited, using the Sectigo RSA Domain Validation Secure Server CA.

Your application or client should ensure that the certificate chain returned for BeBanjo servers is signed by our approved vendor and not other CA roots.

Please consider that this TLS certificate might be periodically rotated based on our renewal policy. This has no impact for applications or clients that trust our approved CA root, so no action is required from your side in this case.

You can get full information about our certificates chain by executing this command using openssl:

$ openssl s_client -showcerts -servername id.bebanjo.net -connect id.bebanjo.net:443