HTTP Basic Auth deprecation


Latest update: - Nat Dudley

Note: If you're not a developer and you don't have any integrations/addons then you probably don't need to worry about this! If you're unsure, read on to learn more.

What is HTTP Basic Authentication?

HTTP Basic Authentication is a mechanism used to authorise requests to an API. It has worked well for us and our customers, but as things mature and our customers become more security conscious we decided to replace it with more secure protocol called OAuth.

What does this mean for me?

It's not a given that this change will affect you in any way. It will not matter to retailers who use Vend without any integrations or those using our most popular integrations such as Xero or Shopify. It will most likely impact you if you have commissioned a custom integration or are using some kind of scripted process to get data out of Vend. If you are not sure, you should get in touch with the developer who has created this software for you. If you, or the developer, need any assistance or have any further questions regarding this change, get in touch with us at: api@vendhq.com.

When will this change happen?

We've set the date for the 1st of May 2016. While this date has changed in the past, you should treat this one as final and assume that on the 1st of May 2016 basic authentication will stop working and it will only be possible to authorise custom integrations using OAuth or Personal Tokens.

Why are we doing this?

  • Security

In a continued effort to offer our customers world class services, we want to make sure that your data is safe with us. A few months ago we have disabled access to Vend (for the web app and the API) via HTTP. From then on Vend can only be accessed over an HTTPS connection. Deprecating Basic Authentication is the next step on the road to making Vend as secure as possible.

  • Visibility

You can see who is accessing your data and most importantly we can see who is causing issues in case things go wrong. It's important for us to be able to identify applications causing issues for our customers and Basic Auth did not allow this.

  • Flexibility

With OAuth and Personal Tokens, the identity of the app accessing your data is not bound to a user in your account. That means that you can revoke access for every app you are using separately, without changing any user details.

Does it matter is I use XERO, QuickBooks Online or Shopify integrations?

Nope, you're all good. We have created those integrations and have made sure they will work with this change.

3rd party applications already using OAuth

The following providers have worked with us to prepare for this change and if you use their service/product you should be good to go:

  • Timely
  • Unleashed
  • Deputy
  • Airsquare
  • Smallfish
  • Pozly
  • Rocketspark
  • Perkville
  • SkuBrain
  • Linksync
  • Vortex

There's still a chance that some of these providers may not have migrated all their connections to use OAuth. We recommend, therefore, that you get in touch with your provider to confirm that your account is already migrated.

I'm a developer. How do I start using OAuth?

  • First, you have to go to our developer page and register a developer account.
  • Next, you should create an app within this account.
  • Creating the app will give you all the details you need to implement OAuth within your app. More details of the OAuth process can be found here.

OAuth is too complicated to use. Can I keep using Basic Auth?

Nope. Basic Auth is going away. Fortunately though, we have an alternative solution: Personal Tokens. It's just as simple at Basic Auth to use but much more flexible and secure. More details here.

Powered by Zendesk