What is OAuth Authentication?
To use the Stuart API you’ll need to authenticate. All of our endpoints support OAuth 2.0 authentication - not familiar? Check out How does OAuth authentication protocol work?
How do I authenticate via the Stuart API?
Our api documentation details how authentication works in the Stuart API, and you can use the Postman Collection to give it a go.
Where can I find my client ID and secret keys?
You’ll need your client_id and client_secret keys to request an authentication token, these can be found in the Sandbox API credentials or Production API credentials page of your Stuart account. In the below image we see an example of the API credentials page, your client_id is the ‘API Client ID’ seen on this page, and the client_secret is the ‘API Secret’ value given.
What are the Stuart authentication best practices?
It is necessary to take into account the following considerations to avoid any integration failures:
Storage: As our token is in JWT format up to 8KiB in length. When storing your token, such as If you persist the token in a database, the column used to store it should not have a length limit. Please be sure that your access token is not being stored in a fixed length variable. We would advice using dynamic memory allocation for this string value.
Caching: Your authentication access token will last 1 month and will be returned with an expires_in value to indicate when it will expire. We strongly advise caching your access token and only renewing it when it’s expired or when you receive an ‘INVALID_GRANT’ error from the API.
Client libraries: To save time and effort, you can use our client libraries when developing your Stuart integration. When doing so, be sure you’ve added a caching mechanism as detailed in the documentation. Here is an example in our PHP client library on how to add caching.
Error handling: In the case that an API request that you make is invalid, you’ll receive a 401 error response with the error code invalid_grant. Upon receiving this error we advise simply requesting a new access token. Find more information on retry mechanisms.