Beside the Retail3000AuthenticateToken in the soap header there is also a requirement for sending an API token. The Retail3000AuthenticateToken is used for authentication, while the ApiToken is used for general access to our systems. This API token is introduced in 2018 and gives an extra layer of security. Before we had this token, the only system access was IP address based.

With the ApiToken access can be granted to our systems, but also traffic can be logged on a summary or large detail. This is used for fair use policy, but also for assistance in case certain webservice call don't work as expected.

A RetailVista customer needs to buy an 'API interface' license. From that moment the API use of our system is possible, but together with this license an unlimited number of API tokens can be generated by our supportdesk. If you need a token, send a request to our supportdesk, together with a recognizable description for what type of application interface the API token will be used. Because of this, we stronly encourage to request a token for each separate application integration! By doing so, we can monitor the behavior of each application integration. And when necessary (we don't hope) we can temporarily disable an application integration. The token contains a GUID.

It's important to realize that the ApiToken is a Http Header, it's not part of the Retail3000AuthenticateToken itself!

Below is an example of a partially Http Header with an ApiToken:

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
ApiToken: 47ddedc5-6967-4da0-a849-1b441286f665

When the ApiToken as header element is not passed to our API gateway, we won't reply anything. This decision has been made not to inform possible hackers about the cause of an authentication failure.  When an ApiToken is passed with a possible empty or invalid value, we will inform about the reason why access is denied. When the API token is valid, the request is forwarded to the Retail3000 API server.