Dokumentation für Lieferanten (englisch)
      Zurück zur Startseite
      1. HB Marketplace GmbH
      2. Dokumentation für Lieferanten (englisch)

      Implementation Overview

      Authentication

      Customer Contract API

      Supplier Checkout

      Notifications Webhooks and Emails

      Authentication

      From a technical perspective, the pure integration with the Auth service should be able to be implemented within half a day. If there are any challenges, the implementation contact persons are available. For further processes in the company's own systems that are to be triggered after authentication, the estimates must be consulted directly by the respective system managers at the partners.

      Preamble

      Suppliers get access to the Authentication API. We will be co-working with Auth0 to provide a stable and performant solution. After requesting the platform, suppliers receive client credentials (client_id and client_secret) to verify themselves.

      Besides the client information, the supplier also needs url and audience from our side:

       
      url: auth.hb-marketplace.com audience: https://api.hb-marketplace.com/api/users

      Supplier Requirements

      For the connection/implementation, different URLs are required from the supplier in order to protect the users who log in from data misuse:

      • Login URL

      • Logout URL

      • Callback URLs (→ Redirect URLs to which a user is redirected by the supplier after successful login by the Auth service)

      • List of domains and subdomains used by the supplier to integrate with the Auth service

      User-Authentification

      To actually log in the user, they must be authenticated via a certain workflow → Authorization Code Flow .

      To ensure that the requested authorization can be performed consistently, audience https://api.hb-marketplace.com/api/users must be specified as the request parameter.

      After successful login, the user is redirected to the specified redirect URL.

      Depending on the specified response type, the query hash of the URL contains one or more tokens of the specified type. This token can be used directly for API calls to Auth-Service (response type: tokenid_token) or exchanged on the server side for an access_token for API calls (response type: code).

      Further Information: Authentication API Explorer .

      Technical details

      Authorization without audience does not return an access_token as JSON Web Token (JWT), therefore there are problems with automatic authentication and verification with many SDKs. We recommend to always specify the audience as well.

      Customer Contract API

      The API allows suppliers to retrieve the active contracts for a customer that are relevant to the specific supplier. This can be useful if the interpretation of the Webhooks fails.

      In conclusion, the current status can always be retrieved, even if data has been lost.