Token Generation
Description
Generates a token that authorize the usage of Reporting API. It is the intention that some tokens are made to be shared and public, while some are made to be secret. Tokens that have larger access (tokens that can read data for any child of a merchant) should only be used from a gateway to our API. These tokens are tokens that would be generated by using a parent login that has access to child merchants. Tokens that have specific security set to only read for one merchant can be shared and placed into iframes on portals and these would be created by providing the MID for the child merchant and either the child password or parent password (which has access to children).
Secure Tokens with Overrides to run Reports
When generating a token to run a report it is possible to use overrides for parameters or settings for the intended report(s). Anything that is included within an override is encoded in the token and essentially locks this value when trying to use the token to run a report. If a parameter or setting is not provided in an override it is possible for a user to alter the query string and retrieve different reports results by providing different values for parameters or settings.
Override Types
Overrides can be of two types: report settings or parameters. Report settings overrides Possible options are: Action, ReportPermDesc, OutputType, ReportXSLTPermDesc, Tags, DecodeCSS. To include overrides of this type, use the format of OVERRIDE_SettingName= settingvalue Example using action: &OVERRIDE_Action=Report Parameter overrides This type of override is any parameter for the given report and can be found in the report definition. To include overrides of this type, use the format OVERRIDE_Param_ParamName = ParamValue Example using parameter override: &OVERRIDE_Param_MID=999011
If a token is generated using the parent MID and parent password and the child MID is not set as an override, then the token would have access to any of the child merchants and a malicious user could change the query string and retrieve results for any of the children merchants.
Best Practices
When generating tokens for reports it is highly recommended to get the token using the child MID and child password or aggregator password and to also provide an override for the child MID and an override for action equal to Report at a minimum. Minimum suggested overrides: &OVERRIDE_Action=Report&OVERRIDE_Param_MID=ChildMID
When a token is created it has an expiration date of 72 hours.
Endpoints
URL | Type |
---|---|
/EpnAPI/Security.aspx | CGI |
Query Parameters
Name | Required | Values |
---|---|---|
Username | Yes | Provided by CheckCommerce |
Password | Yes | Provided by CheckCommerce |
Action | Yes | Token |
OutputType | No | XML or JSON. If not provided the default is XML |
Response Properties
Parameter | Values |
---|---|
Method | Token |
Version | 1.4.2.24, the version of the API that you are using. |
Severity | 0 Is Success, any other value is a failure |
Success | Boolean True or False |
Message | “Success”, or a message indicating the error |
Token | The Token response, if the call was successful |
Request Samples
JSON
Request
/EpnAPI/Security.aspx?&UserName={MerchantNumber}&Password={MerchantPassword}&Action=Token&OutputType=JSON
Response
{ "Method": "Token", "Version": "1.4.2.24", "Severity": "0", "Success": "True", "Message": "Success", "Token": "f84LLM4Q/gvVr7PEpMp+iWzIjVgLtXLx0cRnX15MafcGlwvUM2dzF1CU3qA0Khep9dnOA7CrSulRUNNz9 2eJZrthMN9IcDx/+1adVoRO5BaUkO7SpCUZfYiNha0/jaqWzUW7Gi2iH+KG8pG9BqbYt14/OO68OqozFyH av4aGnAbDWy5vg0Seo4vS0TAXcPKSodV56HJkGIW9+MY/e/IoCVxhPuYuZnmeZjLylsTVwDYfu1tGSWPqj CdlW6gj6YQP" }
XML
Request
/EpnAPI/Security.aspx?&UserName={MerchantNumber}&Password={MerchantPassword}&Action=Token&OutputType=XML
Response
<Response Method="Token" Version="1.4.2.24" Severity="0" Success="True"> <Message>Success</Message> <Token> 1YN4tpfMWWxA7P/hzNYgXxec1mBcT5l0PuwIzNye767ShuNnRMGYYPjSYP1ot3PqfL+koF5mvx8//3Rgop uDp2jXDYlakofNZZCbsnwaECR6IlVAUdI2xT977y5PTDeCNGGFvv3Pfkzcss2x39r4CWrlNIcAKwB7cUJB o8h4v6QfA2yPneGn0/wtQVgmsjrd1+ga6V4whvBYf+rvkUET+TGBvs1qp5PhsJFR9Fcpagk= </Token> </Response>
Headers
The output will be directly streamed out. Included with that will be encoded HTTP Headers containing the message status information.
Message:Success Method:Token Severity:0 Success:True Token:qXDzh0e/vwIZ8mgA= Version:1.4.2.24
SDK Example
using CheckCommerce.SDK.ActiveReports; string token = Token.GetToken("{MerchantNumber}", "{MerchantPassword}");