Authentication
Learn how to authenticate your API requests using headers and best practices for security.
Required Headers
Every API request must include these headers:
X-App-Id: app_your_application_id
X-Api-Key: test_sk_your_api_key
Content-Type: application/json
Accept: application/json| Header | Required | Description |
|---|---|---|
X-App-Id |
Yes | Your application's unique identifier |
X-Api-Key |
Yes | Your API key with appropriate scopes |
Content-Type |
Yes (POST) | Must be application/json for POST requests |
Accept |
Recommended | Set to application/json |
Verify Connection
To verify your credentials are working correctly and test your connection, we recommend making a simple GET request that does not require any body parameters.
curl -X GET "https://app.raba7ni.com/api/v1/loyalty/cards" \
-H "X-App-Id: app_your_application_id" \
-H "X-Api-Key: test_sk_your_api_key" \
-H "Accept: application/json"Example Request
curl -X POST "https://app.raba7ni.com/api/v1/loyalty/members/validate" \
-H "X-App-Id: app_abc123def456" \
-H "X-Api-Key: test_sk_xyz789ghi012" \
-H "Content-Type: application/json" \
-d '{"card_id": 5, "phone_number": "+21612345678"}'Member Authentication
Some endpoints require member authentication in addition to API authentication. This is done via the X-Member-Token header.
Obtaining a Member Token
The member authentication flow uses OTP (One-Time Password):
Request OTP
Request an OTP to be sent to the member's phone number.
curl -X POST "https://app.raba7ni.com/api/v1/members/auth/request-otp" \
-H "X-App-Id: app_abc123" \
-H "X-Api-Key: prod_sk_xyz789" \
-H "Content-Type: application/json" \
-d '{"phone_number": "+21612345678"}'Verify OTP
The member enters the code received via SMS. Verify it to get the token.
curl -X POST "https://app.raba7ni.com/api/v1/members/auth/verify-otp" \
-H "X-App-Id: app_abc123" \
-H "X-Api-Key: prod_sk_xyz789" \
-H "Content-Type: application/json" \
-d '{"phone_number": "+21612345678", "otp": "123456"}'{
"success": true,
"data": {
"member_token": "eyJhbGciOiJIUzI1NiIs...",
"expires_at": "2025-01-16T10:30:00Z",
"member_id": 123
}
}Use the Token
Include the token in requests that require member authentication.
curl -X POST "https://app.raba7ni.com/api/v1/stamps/add" \
-H "X-App-Id: app_abc123" \
-H "X-Api-Key: prod_sk_xyz789" \
-H "X-Member-Token: eyJhbGciOiJIUzI1NiIs..." \
-H "Content-Type: application/json" \
-d '{"card_id": 5, "stamps": 2}'Token Expiration
Member tokens expire after 24 hours. Store the token and only request a new one when it expires.
Security Best Practices
Never Expose Keys in Client-Side Code
Always make API calls from your server, not from browser JavaScript. Client-side code can be inspected by anyone.
Use Environment Variables
Store your API keys in environment variables, not in code files that might be committed to version control.
RABA7NI_APP_ID=app_abc123def456
RABA7NI_API_KEY=prod_sk_xyz789ghi012Use Minimum Required Scopes
Only request the scopes your application actually needs. This limits potential damage if a key is compromised.
Rotate Keys Regularly
Create new keys periodically and revoke old ones. This limits the window of exposure if a key leaks.
Monitor API Usage
Check your developer dashboard regularly for unusual activity patterns that might indicate a compromised key.
Rate Limiting
API requests are rate-limited based on your developer tier:
| Tier | Requests/Hour | Requests/Day |
|---|---|---|
| Sandbox SANDBOX | 100 | 500 |
| Basic Developer | 1,000 | 10,000 |
| Pro Developer | 5,000 | 50,000 |
| Enterprise Developer | 20,000 | 200,000 |
Rate Limit Headers
Check X-RateLimit-Remaining and X-RateLimit-Reset headers in responses to monitor your usage.