Skip to main content

πŸ”‘ Get credentials

Get your API credentials​

To access the EazyRent API, you need to create a Service Account and choose between two types of credentials: JSON keys or Client ID/Secret. Both methods are secure, but each has its own use cases, benefits, and limitations.

1. Create a Service Account​

Start by creating a Service Account. Go to the console > settings > developer

Create a service account.

Manage the authorization of the service user​

Add the minimal authorization to the user. To choose the rights autorizations, check scopes required for endpoints in APIs section.

Choose your credential type​

Option 1: JSON Keys

With JSON keys, our authentication server generates a file containing the necessary credentials, including a private key. This method is typically used for server-to-server communication.

Advantages:

  • Key Expiration: JSON keys can have an expiration date, ensuring that credentials are rotated regularly for enhanced security.

  • Multiple Keys per Service Account: A service account can have multiple JSON keys, allowing you to rotate keys without disrupting services.

  • Local Token Generation: You can generate an authentication token locally using the private key and exchange it with Zitadel’s authentication server, which ensures more secure interactions.

  • Secure: Because the key file is used locally to generate the token, this method is less prone to leaks compared to sending secrets over the network.

Inconvenients:

File Management: The JSON key file must be securely stored and handled. If exposed, it could compromise the security of your API requests.

Option 2: Client ID/Secret (Client Credentials Flow)

With the Client ID/Secret, you authenticate by sending your client ID and secret directly to Zitadel’s authentication server. This method is often used in scenarios where more granular control of authentication is required.

Advantages:

Simpler Management: The client ID and secret can be managed more easily in environments where local key storage is less practical.

Inconvenients:

Secret Transmission: Unlike JSON keys, you must send the secret over the network as part of the authentication process. This introduces some risk, although it can be mitigated by using HTTPS for secure transmission.

Less Secure than JSON Keys: Because the secret is transmitted to the server during every authentication request, it can be more vulnerable to interception compared to locally stored key-based methods.

3. Which option to choose?​

  • Use JSON Keys if:

    • You need local token generation for enhanced security.

    • You want key expiration and easy key rotation using multiple keys.

    • You’re automating server-to-server communications and can securely manage the key file.

  • Use Client ID/Secret if:

    • You need a simpler management approach and are working with client applications.

    • You prefer a dynamic authentication flow where credentials can be easily rotated.

    • You are not concerned about sending the secret over the network, as long as HTTPS is used.