How to authenticate
Credentials Required
Working directly with the Karhoo APIs requires valid credentials (an API key or a username/password pair).
Contact Karhoo to gain full access to the platform.
Overview
There are two types of credentials that can be used with Karhoo APIs as an authorisation grant:
- API keys
- Username and Password
API keys are usually easier in utilisation and therefore should be the preferred choice for backend-to-backend integrations.
API Keys
The prerequisite for using this authorisation grant is a valid Karhoo account (registered by a Karhoo representative). Once the account is created, the user can then login to the Partner Portal and issue an API Key, which can be used directly in API calls as an authorisation grant.
Issuing API Keys
Log in to the Partner Portal using Sign in with email option.
Navigate to the API Keys and generate a new API key with a preferred access scope.
Using API Keys
API Keys enable access to Karhoo endpoints when added to the Authorization
header with the ApiKey
auth scheme.
POST https://rest.karhoo.com/v2/quotes
Authorization: ApiKey <issued-api-key>
...
Username and Password [Deprecated]
Username and Password authentication is deprecated and will be removed on 01/01/2023. In case you are using this authentication method please contact Karhoo and switch to Api Keys.
The prerequisite for using this authorisation grant is a valid Karhoo account (registered by a Karhoo representative). The username and password can then be exchanged for an intermediary authorisation grant: an access token, which can be used directly in API calls.
Issuing access tokens
When you are approved as a user, you will be provided with username and password credentials. Use them first to interact with the Auth API /auth/token
endpoint. A successful call to that service will respond with the following properties:
{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik9UWXdPRVV3T0RGQk5VWkRPRGxFUlRWRU1VRkJPRUl5UTBRd05UY3pORGMzTWtReFFUSTNNdyJ9.eyJodHRwczovL2thcmhvby5jb20vYXBwX21ldGFkYXRhIjp7InZlcnNpbx4iOxIxXjxuMXIsIxVzxXxxxxxxxxxxaG9vXxxxxxxxxxxYTdxxxxxxxxxxi00NDExLWI5NzctMjgxMzc5OGE3YzExIiwiYXV0aDB",
"expires_in": 86400,
"refresh_token": "Xx9x9xXxxxxxXxXxaxXx9xxxxxxxXxXx-xXxxxxxXxXx9x"
}
access_token
- a JSON Web Token (JWTs)expires_in
- the length of time in seconds that theaccess_token
is validrefresh_token
- to renew theaccess_token
before it expires
Using access tokens
Access tokens enable access to Karhoo endpoints when added to the Authorization
header with the Bearer Token auth scheme.
POST https://rest.karhoo.com/v2/quotes
Authorization: Bearer <issued-access-token>
...
See the code samples in the Karhoo API Explorer for guidance for how to correctly format working API requests.
Refreshing access tokens
These access tokens will expire after the number of seconds in the expires_in time
property value. When the access_token
expires, a new one is requested using the Refresh Access Token endpoint.
Access tokens enable access to Karhoo endpoints when adding it to the Authorization header as a Bearer Token . See the code samples in the Karhoo API Explorer for guidance for how to correctly format working API requests.
Updated about 2 years ago