Authentication

Each request to the Heart.work Core API requires the consumer to include an Authorization header containing a valid access token. The access token provides access in the context of a workspace. There are currently two supported authentication methods:

1. Heart.work user authentication

An access token can be retrieved for your Heart.work user using the Resource Owner Password Flow. Users are required to provide credentials in exchange for an access token.

This flow can be executed by calling the /auth endpoint. You'll receive a Bearer access_token which can be used for all other Commerce API endpoints.

The access_token should be included in the Authorization header as follows:

Code
 
Authorization: Bearer {access_token}

2. API key authentication

An API key provided by Heart.work can be used to authenticate requests. This API key is associated with (a) specific workspace(s) and provides access to the Core API in the context of those workspace(s). The API key should be included in the apikey header as follows:

Code
 
apikey: {apikey}

Workspace context

The API requires that each request is made in the context of a specific workspace. The consumer is required to include a workspace header with the ID of the workspace they want to access. This workspace id is provided by Heart.work.

Code
 
workspace: {workspace}