Pet360 Internal Intelligence Layer

Public Site
The Bible/Integrations/API Authentication

API Authentication

API keys, OAuth 2.0, JWT tokens, and rate limiting for Pet360 integrations.

Authentication Methods

MethodFormat
API Keypk_live_...
Bearer TokeneyJhbGc...
Webhook Signaturesha256=...

API Key Usage

# HTTP Header

X-API-Key: pk_live_abc123def456...

# cURL Example

curl -X GET "https://api.pet360.app/v1/animals" \
  -H "X-API-Key: pk_live_abc123def456" \
  -H "Content-Type: application/json"

OAuth 2.0 Scopes

Request only the scopes your integration needs. Principle of least privilege.

ScopeDescription
animals:readRead animal records
animals:writeCreate/update animals
medical:readRead medical records
medical:writeCreate/update medical records
financial:readRead transactions, donations
financial:writeCreate transactions
people:readRead person records
people:writeCreate/update persons
webhooks:manageConfigure webhook endpoints

OAuth 2.0 Flow

1.Redirect user to authorization URL
GET /oauth/authorize?client_id=...&scope=...&redirect_uri=...
2.User grants permission, receives auth code
3.Exchange code for access token
POST /oauth/token { grant_type, code, client_id, client_secret }
4.Use access token in Authorization header
Authorization: Bearer eyJhbGc...

Rate Limits

TierRequestsBurst
Standard1,000/min100
Partner5,000/min500
InternalUnlimited1,000

Rate Limit Headers: X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset

Security Best Practices

Do
  • ✓ Store API keys in environment variables
  • ✓ Rotate keys regularly (90 days recommended)
  • ✓ Use separate keys for dev/staging/prod
  • ✓ Verify webhook signatures
  • ✓ Request minimum necessary scopes
Don't
  • ✗ Commit keys to version control
  • ✗ Share keys across applications
  • ✗ Expose keys in client-side code
  • ✗ Log full API keys
  • ✗ Ignore rate limit responses