Authentication

The QUIS API uses an API key to authenticate requests. You can view and manage your API key in your company settings. Currently, only your companies admins can access and manage the keys.

Generally, we recommend keeping your keys secure to prevent abuse. Still, some applications require to use these in the frontend. We added two security features to make it more difficult to abuse compromised keys. In any case, the customer is responsible for their keys.

Scopes: Since v1.4.0 keys require a scope. This should ensure that public iFrame keys couldn't be used to make queries to the API and vice versa, limiting a compromised key's usage.

Domain: Since v1.4.0 keys have an optional domain scope, meaning the request only returns a successful response from a specific domain. In addition, this sets related CORS and X-Frame-Options headers to use browser security features and prevent simple integration on other domains. The following examples show how we evaluate different values:

  • an empty entry, will not send any CORS and X-Frame-Options headers; browsers will block their frontend usage
  • quis.de validates only the exact domain quis.de
  • developer.quis.de validates only the exact domain developer.quis.de
  • *quis.de or *.quis.de validates any wildcard domain, such as quis.de and developer.quis.de
  • *.developer.quis.de validates any wildcard subdomain, such as developer.quis.de and demo.developer.quis.de

Authentication to the API is performed via URL-parameters or form-data, depending on the HTTP verb. Examples are provided at each endpoint's documentation.

All API requests must be made over HTTPS. Calls made over plain HTTP will be redirected and may fail. API requests without authentication will also fail.

For problems and uncertainties, please reach out to our support: info@quis.de