Authentication

All API requests require authentication using a client secret. This page explains how authentication works and best practices for keeping your credentials secure.

How It Works

The API uses a simple header-based authentication scheme. Each operator is assigned a unique client secret (a UUID) that must be included in every request.

Header Format

X-Client-Secret: your-uuid-secret-here

Full Request Example

curl -X GET 'https://api.syssoft1.com/api/client/reports/transactions' \
  -H 'Accept: application/json' \
  -H 'X-Client-Secret: fd5a9710-d7f8-47af-a2c5-d553f9029706'

Error Responses

Missing Header

If the X-Client-Secret header is not included in the request:

HTTP/1.1 401 Unauthorized
Content-Type: application/json

{
  "message": "Invalid or inactive client secret",
  "error": "unauthorized"
}

Invalid Secret

If the provided secret does not match any active client:

HTTP/1.1 401 Unauthorized
Content-Type: application/json

{
  "message": "Invalid or inactive client secret",
  "error": "unauthorized"
}

Inactive Client

If your client account has been deactivated, you will receive the same 401 Unauthorized response. Contact your administrator to reactivate access.

Security Best Practices

Never Expose Your Secret in Client-Side Code

Your client secret should never appear in frontend JavaScript, mobile app source code, or any code that runs in the browser. A leaked secret grants full access to your reporting data.

Recommendations

• Store the secret in environment variables on your server (e.g., CLIENT_API_SECRET).
• Make API calls from your backend — never from the browser.
• Use HTTPS — all requests to api.syssoft1.com are served over TLS.
• Rotate your secret if you suspect it has been compromised (contact your administrator).
• Restrict access to the secret within your organization to only those who need it.

Avoid

• Do not include the secret in source files committed to version control.
• Do not share the secret over insecure channels (unencrypted email, chat).
• Do not include the secret in URL query parameters — use the header instead.
• Do not log the full secret value in application logs.

Example: Server-Side Integration

Node.js (using fetch)

const CLIENT_SECRET = process.env.CLIENT_API_SECRET;

const response = await fetch(
  'https://api.syssoft1.com/api/client/reports/transactions?page=1',
  {
    headers: {
      'Accept': 'application/json',
      'X-Client-Secret': CLIENT_SECRET,
    },
  }
);

const data = await response.json();

Python (using requests)

import os
import requests

CLIENT_SECRET = os.environ['CLIENT_API_SECRET']

response = requests.get(
    'https://api.syssoft1.com/api/client/reports/transactions',
    params={'page': 1},
    headers={
        'Accept': 'application/json',
        'X-Client-Secret': CLIENT_SECRET,
    },
)

data = response.json()

PHP (using cURL)

$clientSecret = getenv('CLIENT_API_SECRET');

$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => 'https://api.syssoft1.com/api/client/reports/transactions?page=1',
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_HTTPHEADER => [
        'Accept: application/json',
        'X-Client-Secret: ' . $clientSecret,
    ],
]);

$response = curl_exec($ch);
curl_close($ch);

$data = json_decode($response, true);