Authentication

The Unified Order Service API implements enterprise-grade authentication mechanisms to ensure secure access to order management operations. Two authentication methods are supported: API Key authentication for service-to-service integrations and MSAL (Microsoft Authentication Library) for user-based access control.

Authentication Methods Overview

API Key Authentication

API Key authentication provides a straightforward authentication mechanism suitable for server-to-server integrations, automated processes, and service accounts. Each API key carries specific permissions and channel access restrictions, enabling fine-grained access control.

MSAL Authentication

MSAL authentication integrates with Azure Active Directory to provide user-based authentication with Attribute-Based Access Control (ABAC). This method is designed for applications requiring individual user identification, role-based permissions, and context-aware access restrictions.

API Key Authentication

Implementation

API keys are transmitted via the HTTP Authorization header using the Bearer token scheme:

Authorization: Bearer YOUR_API_KEY

Permission Scopes

API keys are assigned one of three permission levels:

ScopeOperations AllowedUse Case
ReadGET requests onlyReporting, monitoring, read-only integrations
WriteGET, POST, PUT, PATCHStandard integration operations
AdminAll operations including DELETEAdministrative tools, complete system access

Channel Restrictions

Each API key is associated with specific channels, restricting data access to only those channels. This ensures data isolation between different sales channels and business units.

Request Example

curl -X GET "https://api.example.com/v1/orders?channel_id=CHANNEL_ID" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json"

MSAL Authentication

Overview

MSAL authentication provides user-based access control integrated with Azure Active Directory. User permissions are determined by Azure AD attributes, enabling dynamic access control based on organizational roles and responsibilities.

Permission Mapping

Azure AD attributes map to UOS access levels according to the following scheme:

Azure AD PermissionUOS Access LevelAllowed Operations
appPicker, appDriver, appDispatch, appStoreManagerReadGET operations
order, place, product, assortment, routeWriteGET, POST, PUT, PATCH
placeadmin, assortmentadmin, routeadminAdminAll operations

Context-Based Access Control

MSAL authentication includes context-aware access control:

  • Users are associated with specific places (stores, warehouses, fulfillment centers)
  • Places are mapped to channels for data access
  • Users can only access data for channels within their assigned context
  • Admin users bypass context restrictions and have access to all channels

Implementation

MSAL tokens are transmitted via the HTTP Authorization header using the Bearer token scheme:

Authorization: Bearer JWT_TOKEN

Request Example

curl -X GET "https://api.example.com/v1/orders?channel_id=CHANNEL_ID" \
  -H "Authorization: Bearer JWT_TOKEN" \
  -H "Content-Type: application/json"

Obtaining API Credentials

API Key Provisioning

To obtain API keys:

  1. Contact Naveo Support at gsd@maginus.atlassian.net
  2. Specify the required permission scope (read, write, or admin)
  3. Identify the channels requiring access
  4. Receive the generated API key via secure channel

MSAL Configuration

MSAL authentication is configured through Azure Active Directory. Contact Naveo Support at gsd@maginus.atlassian.net to:

  1. Verify Azure AD account provisioning
  2. Confirm role assignments and permissions
  3. Obtain necessary context associations (places, channels)

Security Best Practices

Credential Management

Storage - Store API keys and tokens in secure credential management systems (environment variables, key vaults, secrets managers). Never commit credentials to version control systems.

Transmission - Always use HTTPS for API requests. The UOS API enforces TLS encryption for all endpoints.

Rotation - Implement regular credential rotation schedules to minimize security exposure from compromised credentials.

Access Control

Least Privilege - Request the minimum permission scope required for the intended operations. Use read-only keys when write operations are not necessary.

Scope Limitation - Restrict API key channel access to only those channels required for the integration.

Monitoring - Implement logging and monitoring of API key usage to detect unauthorized access patterns.

Error Handling

API Key Errors

Status CodeError CodeDescriptionResolution
401MISSING_API_KEYAuthorization header missing or invalidVerify Authorization header format and API key value
403INSUFFICIENT_SCOPEAPI key lacks required permissionsRequest API key with appropriate scope
403UNAUTHORIZED_CHANNELAPI key cannot access specified channelVerify channel ID and API key channel permissions

MSAL Authentication Errors

Status CodeError CodeDescriptionResolution
401MISSING_AUTHAuthorization header not providedInclude valid JWT token in Authorization header
401EXPIRED_TOKENJWT token has expiredObtain new token from Azure AD
401INVALID_TOKENJWT token format or signature invalidVerify token generation and signing process
403INVALID_AUDIENCEToken audience doesn't match expected clientVerify Azure AD application configuration
403INVALID_ISSUERToken issuer not valid for tenantConfirm Azure AD tenant configuration
403NO_ACCESSIBLE_CHANNELSUser has context but no accessible channelsVerify user place and channel associations
403INSUFFICIENT_SCOPEUser lacks required permission levelRequest administrator to update user permissions

Authentication Method Selection

Use API Keys For

  • Service-to-service integrations requiring long-term, stable authentication
  • Automated systems and batch processes without user interaction
  • Webhook receivers and scheduled tasks
  • External system integrations that don't support MSAL
  • Background workers and queue processors

Use MSAL Authentication For

  • User-facing applications (web applications, mobile apps)
  • User-specific permissions based on organizational roles
  • Context-based access (users restricted to specific stores/locations)
  • Audit trails requiring user identification
  • Token expiration and refresh capabilities
  • Azure Active Directory integration requirements

Multi-API Authentication

The UOS platform provides two primary APIs, each accepting both authentication methods:

Core API

The Core API provides complete order lifecycle management, channel configuration, and administrative operations.

curl -X GET "https://api.example.com/v1/orders?channel_id=CHANNEL_ID" \
  -H "Authorization: Bearer YOUR_API_KEY"

Drone API

The Drone API provides optimized endpoints for in-store picking and fulfillment operations.

curl -X GET "https://api.example.com/dts/drone/orders?store_guid=STORE_GUID" \
  -H "Authorization: Bearer YOUR_API_KEY"

Both APIs use identical authentication mechanisms and honor the same permission and scope restrictions.

Troubleshooting

Authentication Failures

Symptom: Requests return 401 Unauthorized

Diagnostic Steps:

  1. Verify Authorization header is present and correctly formatted
  2. Confirm API key or JWT token is valid and not expired
  3. Test credentials with a simple GET request to a known endpoint
  4. Review API response body for specific error codes

Symptom: Requests return 403 Forbidden

Diagnostic Steps:

  1. Verify API key or user has required permission scope for the operation
  2. Confirm channel access permissions for the requested channel
  3. For MSAL authentication, verify user context and place associations
  4. Review user Azure AD attributes and role assignments

Support Resources

For persistent authentication issues:

  1. Review error codes - Consult the error handling tables above
  2. Verify configuration - Confirm API key validity, user permissions, and channel associations
  3. Check logs - Review application logs for detailed error messages
  4. Contact support - Reach out to Naveo Support at gsd@maginus.atlassian.net with specific error details
Last Updated: