Authentication

The QUIS API uses an API key to authenticate requests. You can view and manage your API key in your company settings. Only your company's admins can access and manage the keys.

You are responsible for keeping your keys secure. We recommend keeping them hidden to prevent abuse. However, some applications require their use in the frontend. We therefore added a security feature to make it more difficult to abuse compromised keys.

Domain: Since v1.4.0 keys have an optional domain scope, meaning the request only returns a successful response from a specific domain. In addition, this sets related CORS and X-Frame-Options headers to enable browser security features and prevent simple integration on other domains. The following examples show how we evaluate different values:

  • an empty entry will not send any CORS and X-Frame-Options headers; browsers will block their frontend usage
  • quis.de validates only the exact domain quis.de
  • developer.quis.de validates only the exact subdomain developer.quis.de
  • *quis.de or *.quis.de validate any wildcard domain, such as quis.de and developer.quis.de
  • *.developer.quis.de validates any wildcard subdomain, such as developer.quis.de and demo.developer.quis.de

Authentication to the API is performed via query or body parameters. Examples are provided in each endpoint's documentation.

All API requests must be made over HTTPS. Calls made over plain HTTP will be redirected and may fail. API requests without authentication will also fail.

Request Log

QUIS provides a request log and statistics in your company settings. The request log contains all your valid requests made to the QUIS API, meaning for example requests with invalid params are not logged. You can export your requests as a CSV file for further analysis.

FieldDescriptionTypeRemarks
idRequest id returned in the X-Request-Id headerUUIDe. g. 3eaeb60c-7d74-4961-b2d2-02e6602a8162
timestampTimestamp of the requeststringe. g.: 2022-04-26T15:27:23.640+02:00
isBillableWhether the request is billable or notbooleanresponseCode >= 200 && responseCode < 300
endpointPath of the requested endpointstring
endpointGroupThe group the endpoint belongs tostring
apiKeyLast four digits of the api keystring(4)
ipAddressIp address of the clientstringe. g. 127.0.0.1
responseCodeResponse codeinteger
paramsThe request paramsobject
latitudeThe latitude of the requested locationfloate. g. 50.123456
longitudeThe longitude of the requested locationfloate. g. 10.123456
customIdCustom id provided by the customerstring(64)Set by sending a X-Custom-Id header
customClientIdCustom client id provided by the customerstring(64)Set by sending a X-Custom-Client-Id header