Security

Clubfit has implemented OAuth2 authentication for our integration partners.

The OAuth 2.0 authorisation framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service or by allowing the third-party application to obtain access on its behalf.

OAuth introduces an authorisation layer separating the role of the client from that of the resource owner.

In OAuth, the client requests access to resources controlled by the resource owner and hosted by the resource server and is issued a different set of credentials than those of the resource owner.

Instead of using the entity's credentials to access protected resources or perform different actions, the user obtains an access token -- a string with specific scope, lifetime, and other access attributes. Access tokens are issued by an authorisation server provided by Clubfit Software. The user uses the access token to access the specific resources hosted by Clubfit Software.

Transport Layer Security

Clubfit employs Transport Layer Security (TLS) to ensure the security of all data transferred to our platform. All online requests submitted from your system should be TLS encrypted and submitted to port 443.

Authentication

As part of OAuth2, an access token has to be obtained before calling Clubfit API endpoints. The access token will then be sent as part of the Authorization in the request.

Access token request Send a POST request to the Novatti's /token?grant_type=client_credentials endpoint.

Set the Authorization field in the HTTP Headers to the OAuth2 Base64 encoded string as set up in the merchant portal.

{
    "AccessToken": "eyJraWQiOiJKU3FXNzNtcmNkMDBvN1JQMWlYXC9jakNuU04yVktYM1FwMGoyaHpRcGdYOD0iLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiI1OTdlZTRmOC03MDMxLTcwMDMtYWZmYS01NTgwNzY4OTZmNTkiLCJpc3MiOiJodHRwczpcL1wvY29nbml0by1pZHAuYXAtc291dGhlYXN0LTIuYW1hem9uYXdzLmNvbVwvYXAtc291dGhlYXN0LTJfUkhpdGRvRWtGIiwiY2xpZW50X2lkIjoiNTFiNzgyYTFqaHIzbzAxYmZiamRsb3JhbWkiLCJvcmlnaW5fanRpIjoiMzFhYTc5N2ItMWE1Yy00MzM5LWJjNmItM2ZmNWU2MzUyOTg0IiwiZXZlbnRfaWQiOiI5NGNiZmFmYS1kYjExLTQzMWQtODcxOS1iZGE3NmVmN2VjYjEiLCJ0b2tlbl91c2UiOiJhY2Nlc3MiLCJzY29wZSI6ImF3cy5jb2duaXRvLnNpZ25pbi51c2VyLmFkbWluIiwiYXV0aF90aW1lIjoxNzI2NzM3MjQ4LCJleHAiOjE3MjY3NDA4NDgsImlhdCI6MTcyNjczNzI0OCwianRpIjoiN2FmODUwYzktZjhiYS00Njk5LTliYzMtMjkwN2ZkNGNiYjllIiwidXNlcm5hbWUiOiJjbHViZml0YmV0YSJ9.pCO0ih-pbROn9ydSOMLxNU6ChxSajT3QFdtE8fC-FYd5AvVZ2OwP0oM5c2CFqKtxlamR4Lkd545lwY5wXWZuh3koZpPmamePNh7XOzZ9rOj2KgtI1drTtGKKCqm6JPImSATpAt0WIPkusfHeQFV6EEjv0XwoKs-4_Yi3oo3y0iJlPPglKgc-FwO0doXe44cBdvCW-XHSHaiFQHYNB82KAgxDE_AsoKH45hGZfUlfMZ1qVVCIAD3-E3O2fpglvB0oz8y8z-btd6fSkOUdIfGqweDISjQYJ-ygrrKPeaEgkbTzgEdlDLel1aeuYRBuUT5gEf_wbiaiIrJkaK_BzCSkag",
    "ExpiresIn": 3600,
    "TokenType": "Bearer"
}

The AccessToken will then be included in the subsequent payment transaction request as part of the HTTP Authorization field.

Invalid / Expired access tokens

Should an access token be considered invalid, an HTTP 401 (Unauthorized) response will be returned with the following fields.

{
    "message": "The incoming token has expired"
}

Per club x-api-key Headers

Each club that you have requested access to, via the Clubfit API, will be assigned an API Key. This key needs to be supplied in the header of each call in the x-api-key header.