Skip to main content

Authentication and authorization

To keep transactions on Haravan’s platform safe and secure, all apps connecting with Haravan APIs must authenticate when making API requests.

This guide introduces the different methods of authenticating and authorizing apps and services with Haravan’s platform. Make sure that you understand the differences between the types of authentication and authorization schemes before you begin your development process.

Types of authentication

Different types of apps use different authentication or authorization methods:

  • Public apps use OAuth.
  • Public apps that are embedded in the Haravan admin use OAuth and session tokens.
  • Private apps use Private authentication.

App extensions

Any web application or service that connects with Haravan’s platform is referred to as an app, regardless of how it’s exposed to end users.

An app extension isn’t an app. It's a mechanism that lets an app add features to certain defined parts of several Haravan user interfaces. The areas available to app extensions are defined by extension points.

Apps that use extensions must adhere to the same authentication and authorization requirements as apps that don’t use extensions.

How your app accesses Haravan

Haravan has many APIs that let developers extend the platform’s built-in features. These APIs let you read and write merchant data, work with other systems and platforms, and add new functionality to Haravan.

API nameDescriptionAuthenticated?API format
Omni APIThe primary way that apps and services interact with Haravan. It provides extensive access to data about individual Haravan stores, and lets you add your own features to the Haravan user experience.YesREST
Ajax APIProvides lightweight endpoints for development of Haravan themes.NoREST

OAuth authorization

To use Haravan’s APIs, public apps must get authorization using OAuth. Apps then use the access token they receive through OAuth to authenticate their requests.

To authorize a public app, you need to generate credentials from your Partner Dashboard, and then use those credentials to implement OAuth.

Private authentication

Private apps can authenticate through Private authentication by using their API key. You can generate these credentials from the Haravan admin of the store that you want to connect with your app.

You must include the request header Authorization: Bearer {API_key}, where {API_key} is replaced by your private app’s API key.

How merchants access your app

Embedded apps use session tokens to authenticate the requests that it makes between the client side and your app's backend. Session cookies used to fill this role, but have become unreliable due to browser policy changes, and so session tokens are used instead.

To operate as an embedded app, the frontend of your app requests a session token from Haravan using Haravan App-sdk, and then includes it in each request that it makes to the backend of the app. The backend then uses the session token to determine the user's identity.

The following diagram shows the authentication process using session tokens and API access tokens:

Note: Session tokens aren't a replacement for implementing OAuth with Haravan. Unlike API access tokens, session tokens can't be used to make authenticated requests to Omni APIs.

Next steps

  • Authorize your public app with OAuth.
  • Authenticate your embedded app using session tokens.
  • Authenticate your private app using Private authentication.