In Enterprise API, authorization involves comparing the content of the authorization token with the data in the request, such as the customer number and service access permissions.
Request Submission: The client sends a request that includes a customer number and an authorization token as a authorization header.
Token Validation: The API checks the token’s content, which includes the authorized customer number(s) and the services the token allows access to.
Comparison with Request Data:
The customer number in the request is compared with the authorized customer number(s) in the token.
The API also checks if the token allows access to the requested service (e.g., “ola” service).
Decision:
If the customer number in the request matches the authorized customer number in the token and the token allows access to the requested service, the request is processed.
If either the customer number or the service permission in the token does not match the request, the API will reject the request and return a 403 Forbidden error.
403 Error Example:
{
"code": 403,
"errors": [
{
"message": "Your API user does not have access to get data for customerId provided",
"field": "customerId"
}
]
}A 403 Forbidden error occurs if:
The customer number in the request does not match the number authorized in the token, or
The token does not grant permission to the requested service.