Home /Getting started/Authentication guide
Authentication guide

To make authenticated calls to our API, there are four pieces of information that remain static:

  • The username of your WellnessLiving user
  • The password of your WellnessLiving user
  • The authorization code
  • The authorization ID

The user can be a client or a staff member, but it’s recommended to make all calls with a staff member since they’ll have broader access than clients. The authorization ID is used in the request header. The authorization ID and code are both used when calculating the signature.

WellnessLiving’s API uses a generated signature in the HTTP request header for additional security. This generated signature is a string set as a hash of multiple values. However, signature generation isn’t required if the endpoint doesn’t require authentication.

When authenticating, there are two session creation endpoints that need to be called before accessing the actual data required:

These two session creation endpoints aren’t required if the endpoint in question doesn’t require authentication.

Cookies

There are two cookies used to maintain your session, depending on the server you’re using. For example, the cookies used on our Staging server are:

  • sp (Staging Persistent)
  • st (Staging Transient)

These cookies are usable for 30 days.

Signature hash examples

See below for three examples showing how to calculate the signature value. While the first two examples are incomplete, they’re intended to help validate your solution. The PHP source code is included at the end of this document.

  • Example 1: Empty String — Allows you to check whether your SHA-256 implementation is the same as the one used by WellnessLiving.
  • Example 2: Array Conversion — Allows you to check whether your array serialization is the same as the one used by WellnessLiving.
  • Example 3: Full Example — Allows you to check whether your overall solution is compatible with WellnessLiving’s API.