Authenticating
Authentication is handled through the use of an API key, which can be managed in your Lucca account settings. Each key is given its owned dedicated role that dictates the depth and breadth of its access rights. This dedicated role has the same name as the API key by default, and is listed at the very bottom of the list of roles in the corresponding administration interface (i.e. /organization/structure/roles). Once you have an API key, you must reference it on all requests against the Legacy APIs through theAuthorization
HTTP header in the following manner:
Make sure to keep API keys secure. Delete it at once if you suspect it’s been
compromised and create a new one. You can also periodically change the API key.
Please not that if authentication was unsuccessful (most likely due to
an invalid API key), then the server will return a
401 Unauthorized HTTP
status code.It is considered good practice to create a new API key for each integration
project. It gives you the opportunity to finely tune access scopes, and limits
security risks in case of a key value leak. In other words, try to attach the minimum
required access scope to any key. There is a guide about setting up access scopes.
Make sure to set the “technical contact” on all keys (email of someone tech-savy
among yourselves). This will be our primary contact point in case of technical problems
or API changes.
CORS Policy
Our Cross-origin Ressource Sharing policy doesn’t allow API call from web browser using a different domains thanilucca.net or ilucca-test.net.
If you need to automate processes using a Lucca API Key, you should do it:
- throught a script
- from an API Platform (e.g. Postman or Azure API Management)
- from the backend of your own application