Information on how to authenticate with the Aro Partner API
We protect our API using access credentials
Access to our APIs (and Marketplace website) is restricted for users in certain regions, including but not limited to India, Pakistan, and Cyprus. Any API requests originating from these locations will receive an HTTP 403 FORBIDDEN response, regardless of whether valid credentials are provided. If you encounter this issue, we recommend using a VPN solution to geo-locate your developers within the UK.
Whenever the user wants to access a protected route or resource, the user agent must send a JWT access token in the "Authorization" header of the request. Additionally, an API Key HTTP header value should be supplied as well as the JWT. The API Key links consumer requests to a usage plan.
The content and naming of each of the HTTP headers is as follows:
| Usage | HTTP Header Name | Example |
|---|---|---|
| JWT (Bearer Token) | Authorization | Authorization: Bearer <jwt> |
| API Key | x-api-key | x-api-key: <api-key> |
Please also ensure your API requests contain a "User-Agent" HTTP header identifying the application, operating system, vendor, and/or version of the requesting user agent.
Before you begin
Before you can begin trying the endpoints you must gather the following information:
- Obtain the required JWT token
- Obtain the required API Key
- Identify the API endpoint base URL to access API on corresponding environment.
Obtaining a JWT token and API Key
Please contact your Aro representative to request these credentials.
You will be provided with different credentials for our Sandbox and Production environments - whilst you are developing your integration you will be using our Sandbox, prior to moving to Production.
Identifying the API endpoint base URL
| API | Sandbox Endpoint | Production Endpoint | Credentials Required |
|---|---|---|---|
| Redirect API | apig.aro-sandbox.aro.co.uk | apig.aro.co.uk | JWT & API Key |
| Eligibility API | apig.aro-sandbox.aro.co.uk | apig.aro.co.uk | JWT & API Key |