AvatarPortfolio

API Authentication and Security

Security design and authentication methods for point balance retrieval API

API authenticationsecuritytokenaccess control
4 min read

About This Article

Point balance is personal information and must not be accessed without proper authentication. This article explains the mechanism for supporting multiple authentication methods while ensuring security.

Why Authentication is Important

Risks Without Authentication

Security Principles to Follow

  • Authentication: Confirm who the request is from
  • Authorization: Confirm the person has access permission
  • Audit: Record all access

Authentication Mechanism

Authentication Check Flow

Receive request

Receive point retrieval request from client

Check authentication info

Get authentication token from request header

Verify token

Verify token validity (signature, expiration)

Get customer ID

Get authenticated customer ID from token

Verify ownership

Confirm request target customer ID matches authenticated customer ID

Allow/Deny access

If all pass, continue processing; if fail, return error

Flow Diagram

Authentication Flow Details
Client

GET /api/points (Authorization: Bearer xxx)

Server

Extract token -> Verify signature -> Check expiration -> Get customer ID -> Verify ownership

Supported Authentication Methods

Session Token Authentication

Session Token Method - At Login
Login with email OTP

Customer authenticates with one-time password

Token issuance

Server issues session token

Save to Cookie

Save token in HttpOnly Cookie

Shopify Customer Account API Integration

Shopify OAuth Method - At Login
Login with Shopify account

Customer authenticates on Shopify's authentication screen

OAuth token issuance

Shopify issues OAuth token

Customer info accessible

Can access customer info with token

Importance of Ownership Verification

Why Verify Ownership

Important: Even if authenticated, don't allow access to others' data

Verification Logic

Ownership Verification Flow
Get input info

Get customer ID (A) from auth token, target customer ID (X) from request params

Check ID match

Confirm A === X

Result

Match -> Return point balance / Mismatch -> 403 error, log as unauthorized access

Security Measures

Implemented Measures

Error Response Design

For operators: Details can be verified in admin panel

Logging and Monitoring

Information to Record

Monitoring Alerts

Benefits of This Design

Security

  • Safe design where others' points cannot be viewed
  • Fraud detection and tracking possible
  • Resilience against attacks

Operations

  • Easy to identify causes when issues occur
  • Security audit ready
  • Data collection for continuous improvement
Shopify ID MappingPoint to Coupon Conversion

Related Topics

Why Not Store Customer Data Internally

Design decisions from the perspective of security risks and legal liability

securitypersonal data protectiondata management

Authentication Approach in Headless Architecture

Achieving both customer experience and security with passwordless authentication

passwordlessauthenticationOTP

How POS Point Retrieval Works from Login

Architecture for real-time retrieval and display of POS point balance in online store

point retrievalreal-timeomnichannel