Authentication
This guide explains how to securely authenticate with the ZapCloud API, which enables programmatic access to Zaptec’s electric vehicle charging solutions. Through the API, you can retrieve installation data and modify runtime parameters. To maintain data security and integrity, all API requests must be properly authenticated.
Authentication mechanism
The ZapCloud API employs the OAuth 2.0 Resource Owner Password Credentials (ROPC) Grant type. This method involves exchanging user credentials directly for an access token, which is then used to authorize subsequent API requests.
Authentication workflow
The authentication process involves obtaining an access token, using it for API requests.
Step 1: Requesting an access token
To begin interacting with the API, your application must first obtain an OAuth Bearer Token.
- HTTP Method:
POST
- Endpoint:
https://api.zaptec.com/oauth/token
Request Details:
- Headers:
Content-Type: application/x-www-form-urlencoded
- Body Parameters (form-urlencoded):
grant_type
: Must be set topassword
.username
: Your registered Zaptec account username.password
: Your Zaptec account password.
Example: Token request
POST https://api.zaptec.com/oauth/token
Content-Type: application/x-www-form-urlencoded
grant_type=password&username={your_username}&password={your_password}
Samplecurl
request with bearer token for API acces
curl -X POST https://api.zaptec.com/oauth/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=password&username={your_username}&password={your_password}"
Successful Response:
A successful request returns a JSON object containing the access_token
and other relevant information.
{
"access_token": "your_received_access_token",
"token_type": "Bearer",
"expires_in": 3600, // Lifespan of the access token in seconds
"scope": "read write offline_access" // Example scopes granted
}
Step 2: Using the access token
Once an access_token
is obtained, include it in the Authorization
header for all API calls to protected resources.
- Header Format:
Authorization: Bearer {access_token}
(Replace{access_token}
with the token value received.)
Example: API Call with Access Token
GET /api/some_protected_resource
Host: api.zaptec.com
Authorization: Bearer your_received_access_token
Recommended Security best practices
When implementing ZapCloud API authentication:
- Securely Store Credentials: Never hardcode usernames and passwords directly in your application. Use secure configuration methods or environment variables.
- Protect Tokens: Treat
access_token
as sensitive information.- Store
tokens
securely (e.g., encrypted at rest).- Avoid exposing tokens in client-side browser code or URLs.
- Token Expiration: Adhere to token expiration times and implement logic to request for new tokens proactively.
- HTTPS: Always use HTTPS to protect data in transit. The ZapCloud API endpoints enforce this.
Updated 15 days ago