Multi-level API¶
IvozProvider API is divided in same three levels as the web administration portal plus user API:
- God
- Brand
- Client
- User
This split allows different roles with different responsibilities to be integrated against it without compromising security (read, edit, update or delete the data they should not).
If you check out security policies (read_access_control and write_access_control attributes), you’ll see that we apply read filters and write validations based on user information (token). One single API approach would require a complex validations more prone to failure, introduce errors and require huge queries that would impact the performance.
Note
That is why we split it into three APIs with impersonate mechanism to move between them. This mechanism is explained in Use Case section.
In order to access to each level, you will need a corresponding level URL and credentials:
God API access
- Credentials: God credentials defined in Main operators.
Brand API access
- Credentials: Brand credentials defined in Brand operators.
Client API access
- Credentials: Client credentials defined in Client Operators.
User API access
- Credentials: User credentials defined in Users.
Warning
All credentials usernames are unique at brand level. This is why username + brand URL duple is needed to identify a user (both in API and in web portal).
Tip
As both brand and client URLs are internally linked to the same brand (client within that brand), it is also possible to access to client API using a brand URL + /api/client.