Overview

• Platform: GP247 is built on Laravel and uses Laravel Sanctum for authentication.
• Security: In addition to Sanctum access tokens, GP247 adds an extra security layer via the apiconnection/apikey pair.

API Categories

• Front API: Public data, or data that requires a signed-in customer account.
• Core API: Administrative/management data, restricted to admin accounts with elevated authentication.

Authentication

• Access Token (Sanctum):
  • Used by both front and core APIs to identify the customer/admin.
  • Sent in the Authorization header as a Bearer token.
• Additional security (optional): apiconnection/apikey:
  • An identifier/secret key pair used alongside the access token to increase security.
  • Note: if enabled, apiconnection/apikey applies to all endpoints.

Recommended HTTP Headers

Authorization: Bearer 
apiconnection: 
apikey: 

Basic Authentication Flow

• Front API:
  1. The user signs in to obtain an access_token (Sanctum).
  2. Call the API with Authorization: Bearer .
  3. If the endpoint requires it, include apiconnection/apikey.
• Core API:
  1. The admin signs in to obtain an access_token (Sanctum).
  2. Call the API with Authorization: Bearer  and, if configured, include apiconnection/apikey (often required).

Security Notes

• Protect secrets: Do not log the apikey, do not commit it to source control, rotate it regularly.
• Least privilege: Grant only the necessary scope/permissions to tokens/connections.
• Monitoring: Track usage, detect anomalies, and revoke keys when needed.

Obtain access_token

• Customer (Front API):
  • Method: POST https://{domain}/api/front/login
  • Body (JSON): email, password, remember_me (boolean, optional)
• Admin (Core API):
  • Method: POST https://{domain}/api/core/login
  • Body (JSON): username, password, remember_me (boolean, optional)

Manage apiconnection security

• Navigate: Admin -> API Manager -> API Config

Disable API

• Configure in .env: GP247_API_MODE=0