Skip to main content

Authenticating

Authentication is handled through the use of an API key, which can be managed in your Lucca account settings. Each key is given its owned dedicated role that dictates the depth and breadth of its access rights. This dedicated role has the same name as the API key by default, and is listed at the very bottom of the list of roles in the corresponding administration interface (i.e. /organization/structure/roles). Once you have an API key, you must reference it on all requests against the Legacy APIs through the Authorization HTTP header in the following manner: 
Authorization = lucca application={API_KEY}
Make sure to keep API keys secure. Delete it at once if you suspect it’s been compromised and create a new one. You can also periodically change the API key.
Please not that if authentication was unsuccessful (most likely due to an invalid API key), then the server will return a 401 Unauthorized HTTP status code.
It is considered good practice to create a new API key for each integration project. It gives you the opportunity to finely tune access scopes, and limits security risks in case of a key value leak. In other words, try to attach the minimum required access scope to any key. There is a guide about setting up access scopes.
Make sure to set the “technical contact” on all keys (email of someone tech-savy among yourselves). This will be our primary contact point in case of technical problems or API changes.
GET /api/v3/users HTTPS/2
Host: example.ilucca.net
Authorization: lucca application={API_KEY}
Accept: application/json

CORS Policy

Our Cross-origin Ressource Sharing policy doesn’t allow API call from web browser using a different domains than ilucca.net or ilucca-test.net. If you need to automate processes using a Lucca API Key, you should do it:
  • throught a script
  • from an API Platform (e.g. Postman or Azure API Management)
  • from the backend of your own application