Skip to main content

Authentication

At Koala, we decided to use a Bearer token in order to authenticate our partners. Therefore, you will need to provide a specific header to all your requests on our Partner API.

If you have access to this documentation, it means that you should have been provided with:

  • a token for our staging environment,
  • the URL of our staging server
  • the link to our OpenAPI documentation.

If you did not receive one of the above elements, please contact support@hikoala.co. We will get back to you as soon as possible (usually within 48 hours).

HTTP header

In order to prove that you are authorized to interact with our Partner API, each request should have the Authorization header, with the format Bearer <your token>. Here is an example:

> curl -X GET "https://xxx" -H "Authorization: Bearer <your token>"
{}

In case of unauthenticated request, you will receive a 401 error from us.

Token scope

A staging token only gives you access to our staging environment. This environment is your playground for testing, all operations performed on that server have no consequences.

Once you have completed the requirements to go live, you will receive a production token to start creating contracts.

danger

Your staging token cannot be used on our production environment. Please be careful not to mix your tokens and environments. Any operation made on the production server will create contracts, and you will be charged accordingly.

Token lifetime

The tokens provided by Koala are valid for a limited period of time, regardless of the environment in which the tokens are valid. The lifetime of tokens is currently set at 2 years. If one of your tokens is approaching its expiry date, contact us to obtain a new token.

Security concerns

Please be extra careful with your tokens. It is your responsibility to secure your token. Anyone who has access to your token can act as yourself and we will have no way to differentiate yourself from the impostor.

As a reminder, we will invoice you for all operations made on the production server by your token.

tip
  • Do not store your token in your versioning system
  • Use a secret manager
  • Do not share your token publicly