Authentication
Authentication for the Ordering Channel API is configured per-partner during integration setup.
Overview
OneTablet supports multiple authentication methods depending on your platform's requirements. The specific method will be determined during your integration onboarding.
Inbound Authentication (Your Requests to OneTablet)
When your platform calls OneTablet endpoints (e.g., pulling menus), authentication is configured during integration:
| Method | Description |
|---|---|
| API Key | Include key in x-api-key header |
| Bearer Token | Include token in Authorization: Bearer {token} header |
| Custom | Other methods as agreed during integration |
Example with API Key
curl -X GET "https://integration.onetablet.example/pull/menus/store-123" \
-H "x-api-key: your-api-key"
Outbound Authentication (OneTablet Calls to You)
When OneTablet calls your webhook endpoints (order confirmation, menu push, etc.), you configure how we authenticate:
| Method | Description |
|---|---|
| API Key | OneTablet includes key in request header |
| Bearer Token | OneTablet includes JWT in Authorization header |
| Custom | Other methods as agreed during integration |
Verifying OneTablet Requests
You should verify incoming webhook requests from OneTablet by:
- Checking the authentication header configured during integration
- Validating source IP against OneTablet's IP allowlist (provided during setup)
- Confirming the store ID matches your account
Request Headers
All API requests should include:
| Header | Value | Required |
|---|---|---|
x-api-key or Authorization | Authentication credentials | Yes |
Content-Type | application/json | Yes (for POST/PATCH/PUT) |
User-Agent | Your application identifier | Recommended |
Error Responses
401 Unauthorized
Returned when authentication fails:
{
"error": "Unauthorized",
"message": "Invalid or missing authentication"
}
Common causes:
- Missing authentication header
- Invalid API key or token
- Expired credentials
403 Forbidden
Returned when the authenticated user lacks permission:
{
"error": "Forbidden",
"message": "Access denied to this resource"
}
Security Best Practices
- Never expose credentials in client-side code or public repositories
- Use environment variables to store credentials
- Rotate credentials periodically
- Use HTTPS for all API communication
- Implement retry logic for authentication errors
Getting Credentials
Contact OneTablet technical support to:
- Obtain your API credentials
- Configure authentication method
- Receive IP allowlist for webhook verification
- Set up sandbox environment access