The imin Platform
2.0.0
2.0.0
  • Introduction to the imin Platform
  • Using the Platform
    • imin's Platform Products
    • Authentication
    • Our Platform Data
      • Understanding Responses
      • Namespaces and Extensions
      • Defensive Data Consumption
      • Mocking the Interface
  • platform products
    • Search
      • imin Events API
        • Events API Reference
        • Virtual & Physical Sessions
        • Concepts
          • EventSeries
          • ScheduledSessions and eventSchedules
          • Activities and Collections
            • Activities
            • Activity Concept Collections
          • Accessibility Support
          • Prices
        • Filters
          • Modes
          • Age Ranges
          • Dates and Times
          • Activities and Concept Collections
          • High Frequency Sessions
      • imin Facilities API
        • Query Parameter Search
          • Mandatory Query Parameters
            • mode=discovery-geo
            • mode=upcoming-slots
          • Optional Query Parameters
        • ByID Search
          • FacilityUse By-ID
          • Slot By-ID
        • FacilityUses and IndividualFacilityUses
        • Slots
        • Facilities Slot Booking
      • imin Places API [BETA]
        • Example Request & Response
    • Firehose
      • Introduction to the Firehose
      • Accessing the Firehose
      • Firehose Usage Policy & Restrictions
      • Firehose and Search
      • Bookable Firehose Feeds
      • Bookable Sellers Feed
      • Attribution Catalog Endpoint
    • Live Timetables
      • Pre-Requisites: Open Data Feeds
      • The Onboarding Process
        • 1. Ensuring your Data Offers the Best User Experience
        • 2. Setting up and Embedding your First Timetable
        • 3. Setting up the Rest of your Timetables
        • 4. Activating Booking via Guest Checkout
      • Features Available Upon Request
      • Styling the Live Timetables
      • FAQs
    • Data Dashboard
  • incorporating book and pay
    • imin Branded Checkout
      • Introduction
      • Setup
        • Information We Require From You
        • Actions You Need to Complete
      • Authenticated Checkout
        • Testing [BETA]
        • 👪Group Booking [BETA]
      • Standalone Checkout
      • Firehose and Checkout [BETA]
        • Loading the Checkout via Firehose
    • imin Booking Platform
      • Customer Account Management
        • Create Customer Account
        • Update Customer Account
        • Get Customer Account
        • Delete Customer Account
        • Example Scenario
        • Payment Card Management
        • Linked Accounts
        • Entitlement
          • Evidence Requests
          • Entitlement Pricing in Search
          • Entitlement Pricing in Checkout
        • Access Pass
        • Webhooks
      • Orders
        • Order History
        • Order (by ID)
        • Cancellations & Refunds
      • Upcoming OrderItems
      • Receipt (by ID)
  • imin and booking systems
    • Seller Onboarding
      • API
  • HINTS & TIPS
    • Get the Best Out of Search
      • Displaying Schedule Information
      • URLs and Offering a Call to Action
      • Searching by Activity
      • Your Search Results and HighFrequencySessions
      • Customer Specific Images
  • Info for Data Publishers
    • Your RPDE Feed & the imin Platform [BETA]
      • Providing Places Data [BETA]
      • Providing Schedule Information [BETA]
Powered by GitBook
On this page
  • Obtaining and Using API Keys
  • Obtaining an API Key
  • Using the API Key
  • Single-Use API Keys
  • API Keys and Best Practice
  • Server-Side Connections
  • Keeping your Key Safe
  • Prepare for Key Rotation
  1. Using the Platform

Authentication

Previousimin's Platform ProductsNextOur Platform Data

Last updated 8 months ago

Obtaining and Using API Keys

Obtaining an API Key

To obtain a new API key, please contact hello@imin.co and we will issue you a key as soon as possible.

Before you have an API key, you can explore the Events API by:

  • Referring to our to see example requests, responses, and descriptions of each endpoint; and

  • Using our test API key to take a look at the ("Lorem Fitsum") in the Events API.

Please note, this functionality is only available for the Events API.

If you believe your key has been compromised, please contact your account manager who will issue you a new key as quickly as possible.

Using the API Key

Once you have a valid API key, making an authenticated request is again straight-forward. On each request, include HTTP request header X-API-KEY, set to the value of your valid API key. For example:

X-API-KEY: 6aa0fa074bec4a5cb0e8ed8fd36151ce

6aa0fa074bec4a5cb0e8ed8fd36151ce is included here for illustrative purposes only and is not a functional API key.

Single-Use API Keys

Each API key issued is to be used exclusively within only one of your digital service, unless you have our explicit permission to do otherwise. This means that if you are building more than one product, you will require more than one API key. For example, a web app and a mobile app will each require their own unique API key.

If you have a B2B2C product (i.e. you sell or licence to other businesses a product that uses the imin Platform, e.g. a whitelabel corporate wellbeing solution), you may require a custom licence setup for each re-use. Please get in touch to discuss your requirements in more detail.

If you are found to be using the same API key in a manner detailed above (or any other way that we deem to be misuse of a single-use API key) without our written permission, we reserve the right to suspend your access to our Platform without notice.

API Keys and Best Practice

Server-Side Connections

All requests must be made server-side, otherwise it will be possible to view your unique single-use API key(s) with a browser.

All request must be made server-side. If you are found to be using or are attempting to use API key(s) from within browsers without our express permission, we reserve the right to suspend your access to our Platform without notice.

Keeping your Key Safe

Your secret API key can be used to make any API call on behalf of your account. Ensure they are kept out of any version control system that you may be using. You should treat them as you would a password.

If you are using a header extension in your browser, we recommend turning off the header when you are not using the API to avoid revealing it when you visit other websites on that browser.

Prepare for Key Rotation

For security reasons, we will periodically rotate keys. Rotating keys means that we will add a new API key for your access. Then, after a period of time, we will deprecate the old API key so that only the new API key works. We will also do this early if our monitoring systems expect that keys are being used by unauthorised parties. We will always give notice before doing this.

If your app has been built by a technical team which is not in-house and full-time, e.g. a software agency, you may prefer to make sure that API keys can be changed without having to hire an agency. If API keys are stored in environment variables, make sure that the technical team have handed over how to update the environment variables to new values.

reference documentation
dummy data