om een gepersonaliseerde navigatie te krijgen.
om een gepersonaliseerde navigatie te krijgen.
Go to the API Library page and select an API.
The status of an API is displayed using the following labels:
If you plan to use an API in production, view the API requirements for that API, and ensure that you comply. If you would like to know more about the different statuses of an API please go here.
To use a YouServe API product, you must register and create an account. An account is quick to set up and is free of charge. You only need your phone and company address to register.
To register and create an account:
After login, you can go to Your Apps and see all applications you have access to.
Creating applications on the developer portal is done at this moment with a ticket through support. Please go to the support section for details.
As soon as the request is processed the application will show up in the developer portal.
We follow current industry standards and best practices. Authentication/authorization is no exception. As part of the Identity and Access Management Strategy for system-to-system integrations, our APIs are based on OAuth 2.0 and the authorization grant Client Credentials.
Every API consumer system will be provisioned in our Developer portal as a Client Application (App). API key (client_id) and Secret Key (client_secret) will be provided to be used by Apps as credentials.
Apps will be able to authenticate and get an access token (JWT) within the response payload. Subsequent request authorization will be based on that access token previously retrieved.
In order to grant access to a target API, Apps must first authenticate against our Authorization Server. The request payload must include the Content-Type header and the HTTP body must include the required Client Credentials (API Key and Secret Key).
curl -X POST |
Below, is a response payload example containing the access token and the expiration time which is 60 min. After that time Apps need to re-authenticate to get a new access token.
{ |
This is an additional security level to retrieve the access token. Instead of using API key (client_id) and Secret Key (client_secret), the token will be retrieved using the API Key (client_id) + client_assertion (generated with a private key).
In order to grant access to a target API, Apps must first authenticate against our Authorization Server. The request payload must include the Content-Type header and the HTTP body must include the required Client Credentials (API Key and client JWT).
curl --location --request POST 'https://api.youserve.nl/sec/oauth2/token' \ |
The value of the client_id parameter is the API Key of the application created by the customer in the Dev Portal, and the value of the client_assertion parameter is the client JWT.
Below, is a response payload example containing the access token and the expiration time which is 60 min. After that time Apps need to re-authenticate to get a new access token.
{ |
To set up the connection a private and public key need to be generated. The public key needs to be sent to Visma YouServe, to be registered.
The private key should be used in the generation of the client JWT.
Example of the header section of JWT:
{
"alg": "RS256",
"typ": "JWT",
"kid": "c812sdf3468kjk0348sgsfg102398ee"
}
Example of the payload section of JWT:
{
"sub": "{api_key}",
"iss": "client.yourdomain.com",
"exp": 1646832954,
"iat": 1646832054,
"jti": "b3953f18-4126-4378-8299-d4a0e6355140"
}
Some useful tips:
After the Apps have received a valid token, they are ready to perform requests to any of our YouServe APIs. Apps must use the Authorization header containing the access token. In addition, will need to mark every request with the Client ID, using a custom header for that purpose.
Below, is a fetching data request example:
curl -X GET |
The error payload shown below describes the 401 error response Apps will receive in case of any authentication error.
{ |
Miss use reasons for having authentication errors are:
Wrong credentials
Expired credentials
Unauthorized access tokens
Invalid
Expired
Our API's domain is secured by using DigiCert (SHA2) certificates, a worldwide industry-recognized provider.
TLS 1.2 (only) |
ECDHE RSA with X25519 |
AES_256_GCM |
All HTTP requests will be refused with a Not Found 404 error response.
Our APIs have headers in common
Cache-Control |
The Cache-Control general-header field is used to specify directives that MUST be obeyed by all caching mechanisms along the request/response chain. In our authentication request, the header is mandatory with the value Cach-Control: no-cache |
Content-Type |
The content type of the resource in case the request requires content in the body. Example: Content-Type: application/x-www-form-urlencoded |
Authorization |
The information required to request authentication |
Accept |
The Accept request-header field can be used to specify certain media types which are acceptable for the response. Accept: text/plain |
X-raet-tenant-id |
This header is used to specify for which tenant the data is requested. For tokens with single-tenant access, this header is not mandatory x-raet-tenant-id: 1234567 |
Our APIs have response codes in common.
Success Codes |
200 OK |
Synchronous read, update, and delete operations |
201 Created |
Synchronous create requests |
|
202 Accepted |
A-synchronous operations |
|
204 No Content |
Referring to non-existing entity (e.g. after delete) |
|
Redirection Codes |
304 Not Modified |
Resource has not been modified. |
308 Permanent redirect |
Resource has permanently moved. |
|
Invalid Request Errors |
400 Bad request |
Bad Request (e.g. validation errors) |
401 Unauthorized |
Not Authorized: Missing or invalid access token |
|
403 Forbidden |
Not Authorized: Authenticated, but user has no access to the API |
|
404 Not Found |
Invalid URL: Item does not exist (anymore). The canonical identifier (collection/{canonical id}) cannot be found. Not Authorized: Authenticated, access to API, but user has no access to the resource (data authorization). From a security standpoint, we don't expose the reason why the object could not be found because an attacker can use this to figure out the internals of our system. |
|
409 Conflict |
Concurrency problem: Record changed by another user |
|
Server Errors |
500 Internal server error |
Server Error (e.g. database failure, event could not be sent) |
503 Service unavailable |
Server Error (resource temporary not available) |
|
Copyright 2022 Visma Community. All right reserved.