Authenticating Requests
The requests sent to the REST API need to have a specific structure in order to be validated correctly. This is carried out by adding specific http headers to the requests.
x-nonce-token​
This is the first header that needs to be added to your request and it should be random alphanumeric utf-8 base 64 encoded string that is different for each request. This is the id of your request and should be different for each request. If it is not, within a time-frame of 10 minutes, you will receive an http response code of 401 stating that a request with the same token has already been processed. E.g. generate a guid: "058fd9ca-5116-47a4-b4ca-635adce6cbcb", encoded it using base 64: "MDU4ZmQ5Y2EtNTExNi00N2E0LWI0Y2EtNjM1YWRjZTZjYmNi" and send it in the x-nonce-token header.
x-app-token​
This header content allows authenticating and authorizing access to resources based on the level of permission of your application. You should send the application token you receive when you register your application. By default the token is valid for one year and you will receive notification to renew your access near the expiration date.
x-user-credential​
This header content allows for authenticating and authorizing access to the resources based on the level of permissions of the user. The session token must be retrieved from the login endpoint.
Summary​
The x-nonce-token is mandatory;
The x-app-token should be sent when application based authentication is enforced for a specific endpoint;
The x-user-credential should be sent when user based authentication is enforced for a specific endpoint;
It should be noted that application and user based authentication can be enforced simultaneously in certain endpoints. When that happens, both headers should be sent.