Depending on applicable regulations or business limitations, specific API requests may not be available for your use.
We take the security of our API very seriously. We have implemented a security layer that ensures all requests received by our service are authenticated as coming from an authorized API user, and that the contents of the message have not been altered during the transmission of the request. Authorized users are prohibited from sharing credentials with third parties or using assigned credentials to facilitate access by third party firms.
Access to non-public resources via our RESTful API service are protected by a hash-keyed message authentication code (HMAC) mechanism. Each request to a protected resource must contain authentication information establishing the identity of the requesting principal. This is accomplished by passing specific data in a canonical format with each request, via the headers of the HTTP request. To submit an authenticated request to our service, you will need to have your API key and the corresponding shared secret. The API key is a unique value that explicitly identifies you as a potential authorized user for our service. The shared secret is a randomized string that is known only to our system and you.
Each request will consist of the request body itself, and a specially generated Authorization header that contains all of the information necessary for our system to properly authenticate the request. Part of this header will be a signature representing the request, generated in a specific way and signed with the shared secret. The Folio service will generate our own signature of the request using the exact same procedure and with our copy of the shared secret. If the signatures are equal, then we are assured that the request is properly authenticated, has not been modified in transmission, and has come from an authorized user (identified by the API key).
Protect your authentication credentials.
If an external party were to utilize these credentials, they would be able to submit requests to our system as you. Once your access to our system has been set up, Folio will securely communicate your credentials via an encrypted communications channel. If you have any suspicion that the key and its corresponding secret have been compromised, inform Folio immediately so that the key can be marked as compromised and we can issue you a new key. Do not ever include your key in support correspondence.