Understanding Security

Overview

The ChannelAdvisor API uses both authentication and authorization to protect our clients' data.  This security model includes DeveloperKey, password, AccountID and granted access (authorization) to an account's data.  This page will you help you understand how to work with these concepts.

Key Concepts

Concept

Description

AccountID

AccountID has a one-to-one relation with a ChannelAdvisor account, which also has a ProfileID.  AccountID does not have the same value as a corresponding ProfileID.  It is a GUID of the form 11111111-2222-3333-4444-555555555555, while ProfileID is an eight-digit integer. If your ChannelAdvisor client has multiple accounts, you will need to use a separate AccountID for each account. Simply knowing an AccountID is not enough to access an account's data.  The developer key must be authorized to gain access.

Developer Key

A developer key is a unique value that identifies the creator of an application.  It is a GUID similar to AccountID. To get started developing an application in-house, you will need to Request API Developer Credentialsto acquire a developer key.
An email containing an activation URL will be sent to the email address supplied during sign-up.  Please add developeradmin -at- channeladvisor -dot- com to your safe list so the activation email is not blocked by a spam filter.  After activation, you may request access to one or more accounts for your developer key. See "Granting Access To An Account" below for instructions.

Password

Each developer key has a password that is specified when the developer key is requested.  The password is separate from any user credentials that may be used to log into the ChannelAdvisor UI.

Granting Access To An Account

Granting a developer key access to a ChannelAdvisor account can be accomplished using the following steps:

  1. A ChannelAdvisor user with Client Admin permissions locates the desired ProfileID in the expandable account list on the My Account > Account Authorizations page.
  2. The developer calls the RequestAccess API method, using the ProfileID value from step 1 for the LocalID parameter.   A notification will appear in the account's Message Center, alerting the client of the pending authorization request.
  3. A ChannelAdvisor user with Client Admin permissions locates and enables the pending authorization request on the My Account > Account Authorizations page.

  4. The developer can retrieve the AccountID by calling the GetAuthorizationList API method and begin interacting with the account using any API methods.

    Typical Authorization Scenarios

    • A client wants to use an existing integrated application such as TradeBox.  The client retrieves the ProfileID for their ChannelAdvisor account and gives it to TradeBox, the TradeBox developer requests authorization through the API, and the client enables access for TradeBox on the Account Authorizations page.  The TradeBox developer key now has access to the account.
    • A client adds a new account to ChannelAdvisor and wants to use their in-house API integration software.  Their developer key will need to be granted access to the new account since access is not inherited from similar accounts.  The client retrieves the ProfileID for their new ChannelAdvisor account, requests authorization through the API, and enables access in the UI.  The client's developer key now has access to the account.