Security#
The Antavo Loyalty Engine uses API requests to communicate with client systems. API requests vary in function and securing the API requests protects personal data and also helps to prevent fraudulent behavior.
HTTPS#
All API requests made to Antavo should use HTTPS as the tunnel-level encryption helps to prevent man in the middle and eavesdropping attacks whilst maintaining in-transit security and integrity. Any plain text requests, which should be avoided, will be redirected to https which can be problematic within clients’ server frameworks.
API keys#
The Antavo Enterprise Loyalty Cloud using an API key and secret to authenticate/sign requests. The API key and secret for each loyalty program is generated at the start of each project. Users with the necessary clearance can inspect or re-generate the API key and secret pair on the Loyalty Platform.
Signing API Requests#
API requests to the Antavo Enterprise Loyalty Cloud (ELC) must be signed in order for the safe identification of the sender and maintaining data integrity in transit. Requests must be signed using an Antavo API key and Antavo API secret in conjunction with a timestamp and other request-specific metadata. This ensures that the submitted request originates from the authorized client; the transmitted data is not modified during transit and arrives only once within a time window. The API Signing protocol can be found here
All APIs, except the Auth API (An internal API, primarily used by the Javascript SDK), require signing.
Warning
A signed request is the only way to access information from APIs in production environments.
Request signing/authentication can be disabled within development environments. This is primarily to facilitate easier development and testing. However, this reduction in security level means that only non-sensitive sample data should be used.