DocsPrivacyTerms

API Authentication

Learn how to authenticate your API requests to the Branded Barber API.

Authentication Methods

The Branded Barber API currently supports API key authentication for protected endpoints. Public endpoints (like content retrieval) may not require authentication depending on your configuration.

API Key Authentication

For authenticated requests, include your API key in the request headers:

Authorization: Bearer YOUR_API_KEY
Note: Replace YOUR_API_KEY with your actual API key. Contact your administrator to obtain an API key.

Example Request

Here's an example of making an authenticated request using curl:

curl -X GET \
  https://your-api-domain.com/api/v1/tenant-1/barbers \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json"

Or using JavaScript fetch:

const response = await fetch(
  'https://your-api-domain.com/api/v1/tenant-1/barbers',
  {
    headers: {
      'Authorization': 'Bearer YOUR_API_KEY',
      'Content-Type': 'application/json'
    }
  }
);

const data = await response.json();

Public Endpoints

Some endpoints are designed to be publicly accessible and don't require authentication:

GET/api/v1/:tenantId/content

Retrieve public content configuration for a tenant. No authentication required.

GET/api/v1/:tenantId/gallery

Retrieve gallery items. Public endpoint, no authentication required.

Protected Endpoints

Endpoints that modify data (POST, PUT, DELETE) typically require authentication:

POST/api/v1/:tenantId/gallery

Create a new gallery item. Requires authentication.

POST/api/v1/:tenantId/barbers

Create a new barber profile. Requires authentication.

Error Responses

If authentication fails, you'll receive a 401 Unauthorized response:

{
  "success": false,
  "error": {
    "message": "Unauthorized",
    "code": "UNAUTHORIZED"
  }
}

Common authentication errors:

  • 401 Unauthorized: Missing or invalid API key
  • 403 Forbidden: Valid key but insufficient permissions
  • 429 Too Many Requests: Rate limit exceeded

Security Best Practices

Important: Never expose your API keys in client-side code or commit them to version control. Always use environment variables or secure secret management.

Follow these security best practices:

  • Store API keys in environment variables
  • Use HTTPS for all API requests
  • Rotate API keys regularly
  • Use different keys for development and production
  • Never log or expose API keys in error messages

Getting an API Key

To obtain an API key for your tenant:

  1. Contact your platform administrator
  2. Provide your tenant ID
  3. Specify the permissions you need
  4. Receive your API key securely
Note: API key generation and management may vary depending on your deployment. Check with your administrator for the specific process.