search
API ReferenceProduct DocsLoyalty ConsoleGet Support

keyAPI Authentication

Understand how authentication and authorization work across the WLL API, including access levels, token handling, and how to request credentials.

All requests to the White Label Loyalty (WLL) API require an API key. Depending on the type of request, you may also need to authenticate as a user or administrator using an access token.

This section explains the different authorization levels, how to generate and use access tokens, and how to request the credentials needed for secure integration.

circle-info

hashtag
Authentication vs authorization

  • Authentication is about proving who you are. In WLL, this means supplying a valid API key and, where needed, a token (user or admin).

  • Authorization is about what you’re allowed to do. Once authenticated, your token defines which operations you can perform based on your access level.

hashtag
Access levels & methods

There are three levels of authorization in the WLL platform:

Access level
Headers required
Use case examples

Anonymous API access

Requires only the API key.

X-Api-Key only

Used for public data access (e.g. browsing rewards or venues).

User API access

Requires the API key and a user access token.

X-Api-Key + Authorization: Bearer <user token>

Used to interact on behalf of a specific end-user (e.g. report events, view points balance, see user-specific rewards).

Administrator API access

Requires the API key and an admin access token.

X-Api-Key + Authorization: Bearer <admin token>

Used for privileged operations (e.g. reporting back-office events, managing rewards).

Each access level is explained in its own article with example requests and configuration notes.

hashtag
Getting your API key

You can find your API key in the Loyalty Console under Settings > Tenant.

Tenant settings page in the Loyalty Console

hashtag
Getting your admin auth credentials

To access admin-level endpoints, you’ll need to request your client credentials (client ID and secret), which are used to generate admin access tokens. See Request API credentials.

PreviousChecking audience membershipNextAnonymous API access

Last updated