Authentication Guide¶
This guide covers all authentication methods used by LogiDAV APIs.
Overview¶
LogiDAV APIs support three authentication methods:
- Token Bearer Authentication - Used by Core API and Supplier APIs
- Custom X-API-Token Header - Used by Chatbot API
- Public Endpoints - No authentication required (limited endpoints)
Token Bearer Authentication¶
Used By¶
- Core API endpoints (Sales, SAV, Contact)
- Supplier API endpoints (AsirGroup, Notio)
Header Format¶
Example Request¶
curl -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
https://api.menzzo.fr/api/sale/12345
Getting Your Token¶
Contact the development team to obtain your Bearer token: - Email: technique@menzzo.fr - Include: Your use case and required endpoints - Response Time: Within 1-2 business days
Token Security Best Practices¶
1. Storage¶
# Store in environment variables
export MENZZO_API_TOKEN="your_token_here"
# Never commit to version control
echo "MENZZO_API_TOKEN=*" >> .gitignore
2. Usage in Code¶
// Node.js example
const token = process.env.MENZZO_API_TOKEN;
fetch('https://api.menzzo.fr/api/sale/12345', {
headers: {
'Authorization': `Bearer ${token}`
}
});
# Python example
import os
import requests
token = os.environ.get('MENZZO_API_TOKEN')
headers = {
'Authorization': f'Bearer {token}'
}
response = requests.get(
'https://api.menzzo.fr/api/sale/12345',
headers=headers
)
3. Rotation¶
- Rotate tokens every 90 days
- Keep old token active for 7 days during transition
- Update all systems before deactivating old token
Custom X-API-Token Authentication¶
Used By¶
- Chatbot API endpoints only
Header Format¶
Example Request¶
Why Custom Header?¶
The Chatbot API uses a custom header for:
- Isolation: Separate authentication from other APIs
- Validation: Custom validation logic in MenzzoChatbotWrapperApiController
- Monitoring: Easy tracking of chatbot-specific requests
Implementation¶
// JavaScript/Node.js
class MenzzoChatbotAPI {
constructor(apiToken) {
this.token = apiToken;
this.baseURL = 'https://api.menzzo.fr';
}
async request(endpoint) {
const response = await fetch(`${this.baseURL}${endpoint}`, {
headers: {
'X-API-Token': this.token,
'Content-Type': 'application/json'
}
});
const data = await response.json();
if (!data.success) {
throw new Error(data.message || 'API Error');
}
return data;
}
}
// Usage
const api = new MenzzoChatbotAPI(process.env.CHATBOT_API_TOKEN);
const order = await api.request('/api/sale/details/15000012345');
Token Validation¶
The Chatbot API validates tokens using:
// Simplified validation logic
$providedToken = $request->headers->get('X-API-Token');
$validToken = $this->getParameter('api_token');
if ($providedToken !== $validToken) {
return [
'success' => false,
'error' => 'Non autorisé',
'message' => "Token d'API manquant ou invalide"
];
}
Public Endpoints¶
No Authentication Required¶
Some endpoints are publicly accessible:
SAV Form Retrieval¶
Use Case: Allow customers to access SAV forms without authentication
Example:
SAV Form Submission¶
Use Case: Submit SAV forms from public website
Note: Limited functionality without authentication
Authentication Errors¶
Token Bearer Errors¶
Missing Token:
Invalid Token:
Expired Token:
X-API-Token Errors¶
Missing Token:
Invalid Token:
Multi-Environment Setup¶
Development¶
Staging¶
Production¶
Environment-Aware Configuration¶
const config = {
development: {
apiUrl: 'https://dev-api.menzzo.fr',
token: process.env.DEV_MENZZO_TOKEN
},
staging: {
apiUrl: 'https://staging-api.menzzo.fr',
token: process.env.STAGING_MENZZO_TOKEN
},
production: {
apiUrl: 'https://api.menzzo.fr',
token: process.env.PROD_MENZZO_TOKEN
}
};
const env = process.env.NODE_ENV || 'development';
const { apiUrl, token } = config[env];
Testing Authentication¶
Test Token Validity¶
# Test Bearer token
curl -H "Authorization: Bearer YOUR_TOKEN" \
https://api.menzzo.fr/api/sale/1
# Test X-API-Token
curl -H "X-API-Token: YOUR_TOKEN" \
https://api.menzzo.fr/api/product/TEST-SKU
# Expected success response
{
"success": true,
"data": { ... }
}
# Expected failure response (invalid token)
{
"success": false,
"error": "Unauthorized",
"message": "Invalid token"
}
Security Checklist¶
- Tokens stored in environment variables, not code
- Tokens not committed to version control
- HTTPS only (never HTTP)
- Token rotation schedule defined
- Monitoring for unauthorized access attempts
- Separate tokens for dev/staging/production
- Token access logged and audited
- Emergency token revocation process documented
Troubleshooting¶
Issue: "Unauthorized" Error¶
Check:
1. Token is correct and not expired
2. Header format is correct (Authorization: Bearer {token})
3. Using correct token type for endpoint (Bearer vs X-API-Token)
4. HTTPS is being used
Issue: Token Not Working After Rotation¶
Solution: 1. Verify new token received from team 2. Update all environment variables 3. Restart all services 4. Confirm old token deactivated
Issue: Intermittent Authentication Failures¶
Check: 1. Token not being truncated in logs/configs 2. No extra whitespace in token string 3. Environment variable properly loaded 4. No special characters causing issues
Rate Limiting & Quotas¶
Currently, no explicit rate limits are enforced. However:
- Recommended: Maximum 10 requests per second per token
- Best Practice: Implement exponential backoff on errors
- High Volume: Contact team for dedicated quota
Related Documentation¶
- Core API - Endpoints using Bearer authentication
- Chatbot API - Endpoints using X-API-Token
- Supplier APIs - Endpoints using Bearer authentication
- Error Handling - Common errors and solutions