Guides
Start typing to search…

Authentication

This guide explains how to securely authenticate with the ZapCloud API, which enables programmatic access to Zaptec’s electric vehicle charging solutions. Through the API, you can retrieve installation data and modify runtime parameters. To maintain data security and integrity, all API requests must be properly authenticated.

Authentication mechanism

The ZapCloud API employs the OAuth 2.0 Resource Owner Password Credentials (ROPC) Grant type. This method involves exchanging user credentials directly for an access token, which is then used to authorize subsequent API requests. You can access here -> Open API spec

Authentication workflow

The authentication process involves obtaining an access token, using it for API requests.

Step 1: Requesting an access token

To begin interacting with the API, your application must first obtain an OAuth Bearer Token.

  • HTTP Method: POST
  • Endpoint: https://api.zaptec.com/oauth/token

Request Details:

  • Headers:
    • Content-Type: application/x-www-form-urlencoded
  • Body Parameters (form-urlencoded):
    • grant_type: Must be set to password.
    • username: Your registered Zaptec account username.
    • password: Your Zaptec account password.

Example: Token request

POST https://api.zaptec.com/oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=password&username={your_username}&password={your_password}

Samplecurl request with bearer token for API acces

curl -X POST https://api.zaptec.com/oauth/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=password&username={your_username}&password={your_password}"

Successful Response:

A successful request returns a JSON object containing the access_token and other relevant information.

{
  "access_token": "your_received_access_token",
  "token_type": "Bearer",
  "expires_in": 3600, // Lifespan of the access token in seconds
  "scope": "read write offline_access" // Example scopes granted
}

Step 2: Using the access token

Once an access_token is obtained, include it in the Authorization header for all API calls to protected resources.

  • Header Format: Authorization: Bearer {access_token}
    (Replace{access_token} with the token value received.)

Example: API Call with Access Token

GET /api/some_protected_resource
Host: api.zaptec.com
Authorization: Bearer your_received_access_token

Recommended Security best practices

When implementing ZapCloud API authentication:

  • Securely Store Credentials: Never hardcode usernames and passwords directly in your application. Use secure configuration methods or environment variables.
  • Protect Tokens: Treat access_token as sensitive information.
  • Store tokens securely (e.g., encrypted at rest).
  • Avoid exposing tokens in client-side browser code or URLs.
  • Token Expiration: Adhere to token expiration times and implement logic to request for new tokens proactively.
  • HTTPS: Always use HTTPS to protect data in transit. The ZapCloud API endpoints enforce this.

Updated 11 days ago