Guides

Types of API Tokens

Learn about the various types of API tokens.

OAuth 2.0 Bearer Token

Cadana’s API leverages the OAuth 2.0 Bearer Token mechanism for authentication. It's essential that every API call you make includes this bearer token in the header for successful authentication.

Types of API Tokens

Cadana offers three distinct types of API tokens to cater to various integration scenarios:

1. Org API Tokens

  • Purpose: These are broad, system-level tokens, granting access to a specific organization and all its associated functionalities.
  • Usage: Ideal for backend infrastructure, these tokens should never be exposed to end-users.
  • Creation & Management: Generate or revoke these tokens via Cadana’s Dashboard. For added security, you can bind tokens to specific IP addresses.

2. Platform API Tokens

  • Purpose: These tokens are not restricted to a particular organization. They grant access to the primary organization and any additional businesses created.
  • Access: Platform API tokens require special access before they can be created. Please reach out to your account manager to enable access.
  • Special Feature: When using a Platform API Key, for business specific actions, you must pass the custom header X-MultiTenantKey to specify which business you're accessing. For instance:
curl -X GET 'https://api.cadanapay.com/v1/users'
-H 'Content-Type: application/json'
-H 'Authorization: Bearer ${PLATFORM_TOKEN}'
-H 'X-MultiTenantKey: ${tenantKey}'

User Tokens

  • Purpose: User Tokens are specific to individual end-users, whether they are an admin, employee, or contractor. They grant access solely to resources associated with the particular user for whom the token was generated.

  • Duration: A User Token remains valid for up to 1 hour. After this period, you'll need to obtain a new token.

  • Usage: These tokens are designed for making direct API calls from your frontend, be it a browser or a mobile app. To enhance user experience and minimize the frequency of authentications, it's recommended to store the user token on the user’s device. The browser's local storage is an ideal location for this.

  • Tip: If your existing authentication provider is both ISO/SOC 2 compliant and supports the JWT standard, you can seamlessly integrate it to obtain a Cadana user token. For a deeper dive into this, refer to our section on custom authentication.

Updated 6 months ago