Set Up API Security
In order to ensure the security and integrity of our Radial API transactions, all communications must be encrypted and all API calls must include a valid API Key specific to the client and environment.
Encrypted Traffic
All communication from and to the client must use secure encryption (HTTPS). The web service layer supports only the Secure Sockets Layer (SSL) protocol SSLv3.
Requests made to the API by unsecured channels (such as HTTP) will be ignored. In any unencrypted communications, the API key could be "sniffed" from the request and used for fraudulent transactions.
If unencrypted communications occur, the client should request an emergency API key rotation to ensure their EP channel remains secure.
POST Action
Service requests must be sent using POST actions.
API Keys
A series of API Keys are assigned by the Radial technical services team during a client's launch process. Keys are generated for each client for each environment the client is authorized to access. These keys must be included in the request header of each message sent to Radial Radial APIs. The keys authenticate the source of the request, and the server uses the keys to check whether the client is authorized to use the specific environment, function, and version of the API requested.
Exclude API Keys from Logging
API keys are sent in the request header, which means that they do not get stored in server logs and they retain their security level. API key values should never be stored in open text in any log files or data repositories.
API Key Usage
API Keys are specific to the client, API version, and environment. As a client, you will be given different keys for the developer and production environments. If you have access to multiple versions of the API (such as in the process of upgrading), each different version of the API will require its own API keys.
Radial will rotate API keys at specific intervals or as needed. All API keys must be changed at least once every six months to help ensure the interactions between Radial and clients remain secure.
If Radial or a client determines that any API key has been compromised the key must be changed immediately. If you find that an API key has been disclosed or in any other way compromised, you should contact the Radial production support line immediately and request a P1 ticket for the change.
API Key Examples
All API keys shown in examples in this document have been deactivated and will not work when making service requests. Use the API keys assigned to you by Radial for the specific service call environment. Do not use the API keys shown in examples.
Adding the API Key to the Service Request Header
The API key can be added to the header of a service request programmatically when the request is prepared to be sent to the Radial service.
The following example shows one possible method for adding the API key to a service request header in Java:
…
DefaultHttpClient httpclient = new DefaultHttpClient();
HttpResponse response = null;
HttpEntity entity = null;
HttpPost httpost = new HttpPost("https://developer.na.gsipartners.com/v1.0/stores/storeid/address/validate");
//xml data added here
//set a request header
httpost.setHeader("apikey", "3d3ba833daec4bf256f68006a6b0fbab");
response = httpclient.execute(httpost);
…