GLUE Authentication API

Glue APIs uses OAuth 2.0 protocol for authentication and authorization. The OAuth 2.0 is a secure and standard authentication protocol that provides sending authorized requests to the GLUE API services.

The authentication flow follows these steps:

  1. A client application uses Glue API's username and password via HTTP Basic Authentication to exchange these credentials for an access token
  2. When accessing the protected API service, the client application uses the access token to authenticate

How to get account information for the Posti Glue

If your business does not have a Glue service account, contact Posti Customer Service to get one. Note that you also need a contract with Posti.

How to test the service account

Replace accountname:secret using Posti service account details which Posti has provided to you.

Example request:

curl -H "Accept: application/json" --user "accountname:secret" https://ecom-api.posti.com/auth/token

Accessing Glue API-s

Environment Protocol Host Path
UAT HTTPS https://argon.ecom-api.posti.com /auth/token
Prod HTTPS https://ecom-api.posti.com /auth/token

Step 1: Encode username and password

Concatenate the username, a colon character ":", and the password into a single string. After that, Base64 encode the single string.

Credentials: accountname:secret

Base64 encoded value: YWNjb3VudG5hbWU6c2VjcmV0


Step 2: Get access token from Authorization Server

Before your application can access GLUE API services, it must obtain an access token that grants access to the services.

Access token endpoint: https://ecom-api.posti.com/auth/token

Example request:

GET https://ecom-api.posti.com/auth/token
Headers: Accept: application/json
         Authorization: Basic YWNjb3VudG5hbWU6c2VjcmV0
...

Example response:

{
    "access_token": "abc123",
    "token_type": "bearer",
    "expires_in": 3600,
    "scope": "internal"
}

Step 3: Authenticate API requests with the access token

The access token may be used to issue requests to GLUE API endpoints. To use the access token, construct a normal HTTPS request and include an Authorization header with the value of "Bearer ".

Default expiration time is one hour. After that the client application has to request a new access token.

Example request:

GET https://ecom-api.posti.com/ecommerce/v3/services
Headers: Authorization: Bearer abc123
...
  

Status codes

Status Error Message Meaning
401 Unauthorized Bad credentials Wrong username or password or account is locked for 1 hour after 5 invalid login attempts.