Token Based Authentication

In this article, you will learn how the Token Based Authentication works.

Token based authentication is a way to authenticate and log a customer into the loyalty program securely. Instead of authenticating a customer based on only the data passed through the basic integration snippet, the token based authentication adds an extra step for security.

Pre-requisites for Token Based Authentication

  1. Merchant needs to associate a token with a customer account in the database. This token should be unique for every customer session.

  2. Merchant is expected to generate an Endpoint(a method). The input to this endpoint is going to be an “access_token” and the output response must return the customer information in the following format. {"first_name": "Ethan", "last_name": "Hunt", "email": "[email protected]","uid": "12jlkd1k2"};

  3. The authentication type should be changed to "Token Based" in the Zinrelo admin console. This setting is available in the General >> Settings >>Loyalty Settings

Token Based Authentication Flow

Token Based Authentication

Changes Required to the Basic Integration

The basic integration JS will stay the same. Only an additional 'access_token' parameter is passed through the script. Though the customer information is exchanged through the front end, the customer will only be authenticated when Zinrelo receives the customer information from the configured end point URL.

window._zrl  =  window._zrl || [];
       var  init_data =
       {
         ‘partner_id’ : XXXXXXXX, /*REQUIRED: Zinrelo Partner ID*/
         ‘email’ : ‘[email protected]’, 
         /*REQUIRED: When User is Logged in. For Non-Logged in users, 
         pass an empty string ('').*/
         ‘name’ : ‘User  Full Name’,         
         /*REQUIRED: When User is Logged in. For Non-Logged in 
         users, pass an empty string (''). */
          ‘user_id’ : ‘Unique-user-ID’ 
          /*REQUIRED: When User is Logged in. For Non-Logged in users and   
          guest users who DO NOT have an account, pass an empty string ('')*/
          ‘access_token’ : ‘access token’ 
          /*REQUIRED: When User is Logged in. Must be unique for a given user session*/
       };
       _zrl.push( [ ‘init’ , init_data ] );

Note: You can secure your endpoint URL with the API key. Share your endpoint url and API key with your account manager at [email protected] It will help us to legitimize the process and make your URL totally secured with us.

How will Zinrelo be hitting customer API?

Using the below CURL format Zinrelo will be hitting customer API to fetch the user info:

curl --request GET 
     --url https://xyz.com/userinfo?merchant_id=abcd&access_token=xyz
     --header 'api-key: xxxxxx'   

In the above curl request, the API key is shared by the customer to protect their API. The access token is the user token that the customer needs to pass in the basic integration JS and merchant_id is partner id.

The request should return 200 OK with the following response - {"first_name": "Ethan", "last_name": "Hunt", "email": "[email protected]","uid": "12jlkd1k2"}

Any response other than 200 OK will logout the user from the Zinrelo end-user dashboard.