About the state transmission of authorization level
About the function scope of authorization level
About the encoding format of the payload
All the payload below sent to Saison connect API should be encoded in URL with
urllib.parse.urlencode(payload).
Step 1: get authorization code
GET access(with browser): /auth/screen/:member/authorize
{
"client_id": "ZT300",
"response_type": "code",
"scope": "foo,bar,blabla..." <- nullable
}
type in ID and PASSWORD
get authorization code -> https://apit.saisoncard.co.jp/demo/api/screen_token?code=[HERE IS THE CODE]
Step 2: get access token/refresh token
POST access(with browser or headless): /auth/token
{
"X-API-VERSION": "1",
"Content-type": "application/x-www-form-urlencoded; charset=UTF-8"
}
{
"grant_type": "authorization_code",
"client_id": "[Your client ID]",
"client_secret": "[Your client secret]",
"code": "[The code you got at Step 1]"
}
Step 3: do request
GET or POST access(with browser or headless): any other endpoints except ones for authorization
{
"X-API-VERSION": "1",
"Content-Type": "application/x-www-form-urlencoded",
"authorization": "MAC id=\"[access_token]\" ts=\"[time_stamp]\" nonce=\"[nonce]\" mac=\"[mac]\""
}
about the authorization
| parameter_name | datatype | comments |
|---|---|---|
| id | string | access_token |
| ts | uint(unix_timestamp) | timestamp |
| nonce | string | a random string in regex format: [0-9a-zA-z]{10}(e.g. abcde12345) |
| mac | string | main information for authorization, generated by gen_mac |
import hmac
import hashlib
import base64
def gen_mac(mac_str, client_secret):
raw_signature = hmac.new(
bytes(client_secret, "UTF-8"),
msg=bytes(mac_str, "UTF-8"),
digestmod=hashlib.sha256
).digest()
b64_mac = base64.b64encode(raw_signature).decode("ascii")
return b64_mac
mac_str = "{}\n{}\nPOST\n{}\n{}\n{}\n\n".format(
timestamp, nonce,
endpoint, "apit.saisoncard.co.jp", 443
)
# endpoint: A URL without protocol name(http(s)) and domain sections,
# e.g. /auth/account/profile for TEB001
About the payload of accessing to endpoint
the actual payload format should follows the API interface definition,
below is an example.
{
"data_flg": 1,
"info_key": "card_meisho_sousho,birthday,sex,sex_name,add_cdA"
}