Skip to main content

Overview

The FSS Measurement API uses a combination of API keys and Bearer tokens for authentication. All API requests must include proper authentication headers.

Required Headers

Every API request must include the following headers:
HeaderValueDescription
platformWEB, IOS, or ANDROIDPlatform identifier
api-keyFSS2023Static API key for basic authentication
Content-Typeapplication/jsonContent type for request body
Acceptapplication/jsonExpected response format
AuthorizationBearer {token}User authentication token (for protected routes)

Authentication Flow

1

Public Endpoints

Some endpoints like signup, signin, and forgot password don’t require a Bearer token:
curl --location 'http://fssportal.com/api/v1/user/signup' \
--header 'platform: WEB' \
--header 'api-key: FSS2023' \
--header 'Content-Type: application/json'
2

Get Authentication Token

Sign in to receive your Bearer token:
curl --location 'http://fssportal.com/api/v1/user/signin' \
--header 'platform: WEB' \
--header 'api-key: FSS2023' \
--header 'Content-Type: application/json' \
--data-raw '{
    "email": "user@example.com",
    "password": "password123",
    "device_token": "",
    "platform": "WEB"
}'
Response:
{
  "message": "Login successful",
  "data": {
    "api_token": "abc123def456...",
    "user": { ... }
  }
}
3

Use Bearer Token

Include the token in protected endpoint requests:
curl --location 'http://fssportal.com/api/v1/user/get_profile' \
--header 'platform: WEB' \
--header 'api-key: FSS2023' \
--header 'Authorization: Bearer abc123def456...' \
--header 'Content-Type: application/json'

Token Management

API tokens do not expire automatically but can be invalidated when:
  • User changes password
  • User logs out
  • Account is deactivated
  • Security breach is detected
Best Practices:
  • Store tokens securely in environment variables
  • Never commit tokens to version control
  • Use secure storage mechanisms (keychain, secure storage)
  • Implement token refresh logic in your application
Users can be authenticated on multiple devices simultaneously. Each device can have its own device token for push notifications.

Middleware & Permissions

The API uses Laravel middleware for authentication and authorization:

Public Routes

No authentication required:
  • /user/signup
  • /user/signin
  • /user/qrcode_signin
  • /user/forgot_password
  • /user/reset_password/{token}
  • /user/update_password
  • /user/settings
  • /countries/index
  • /how-works/get

Protected Routes

Requires Authorization: Bearer {token}:
  • All client management endpoints
  • All room management endpoints
  • All measurement endpoints
  • User profile endpoints
  • Subscription endpoints

Subscription Required

Requires active subscription:
  • Most endpoints require an active subscription plan
  • Check subscription status via /transactions/get_user_current_plan

Error Responses

401 Unauthorized

{
  "message": "Unauthenticated.",
  "status": 401
}

403 Forbidden

{
  "message": "Subscription required.",
  "status": 403
}

429 Too Many Requests

{
  "message": "Too many requests. Please try again later.",
  "status": 429
}

Security Best Practices

HTTPS Only

Always use HTTPS for API requests to ensure data encryption in transit

Secure Storage

Store API tokens in secure, encrypted storage mechanisms

Token Rotation

Implement token refresh logic and handle expired tokens gracefully

Rate Limiting

Respect rate limits (60 requests/minute) to avoid throttling

Code Examples

class FSSClient {
  constructor(apiKey) {
    this.baseURL = 'http://fssportal.com/api/v1';
    this.apiKey = apiKey;
    this.token = null;
  }

  async signIn(email, password) {
    const response = await fetch(`${this.baseURL}/user/signin`, {
      method: 'POST',
      headers: {
        'platform': 'WEB',
        'api-key': this.apiKey,
        'Content-Type': 'application/json',
        'Accept': 'application/json'
      },
      body: JSON.stringify({
        email,
        password,
        device_token: '',
        platform: 'WEB'
      })
    });

    const data = await response.json();
    this.token = data.data.api_token;
    return this.token;
  }

  async makeAuthenticatedRequest(endpoint, method = 'POST', body = null) {
    const headers = {
      'platform': 'WEB',
      'api-key': this.apiKey,
      'Authorization': `Bearer ${this.token}`,
      'Content-Type': 'application/json',
      'Accept': 'application/json'
    };

    const options = { method, headers };
    if (body) options.body = JSON.stringify(body);

    const response = await fetch(`${this.baseURL}${endpoint}`, options);
    return response.json();
  }
}