Authentication
JSON over HTTPS
Cardlytics endpoints and webhooks all support JSON encoded request bodies submitted over HTTPS. While there are no explicit
rules that Cardlytics imposes around throttling incoming requests, we do ask clients to honor HTTP 429
response codes with
an exponential back-off in retries if possible.
Important Ids and Key
There are several identifiers needed for the Powered by Cardlytics platform to operate with your marketplace.
userId
: This is a unique identifier for your user assigned by your marketplace. Cardlytics recommends a uuid format for this id. Example:00000000-0000-0000-0000-000000000000
.
applicationId
: A uuid assigned to uniquely identify your marketplace's application. You will receive an applicationId for every webhook configured or mobile application using the SDK. Example:cdlx:dddddddd-dddd-dddd-dddd-dddddddddddd
secretKey
: This is a secret key that only Cardlytics servers and your marketplace servers should have access to. This secret should never be exposed to your application: they are only used for signing and verifying requests. Example:your-256-bit-secret
Cardlytics JWT Authorization Token
The Powered by Cardlytics platform communicates to and from your servers via JSON over HTTPS. Cardlytics will assign an
applicationId
and secretKey
to your integration. The applicationId
uniquely identifies your
marketplace's application to Cardlytics while the secretKey
is used to create a JSON Web Token (JWT). JWT
is an open, industry standard (RFC 7519) method for representing claims securely
between two parties. There are many open source libraries which can be used to generate
a JWT.
JWT Header
JWT tokens are passed as an Authorization: Bearer <token>
formatted header unless otherwise noted.
JWT Payload
Cardlytics requires the following standard attributes in your JWT payload.
iss
- (Issuer) TheapplicationId
assigned by Cardlytics for this webhook. Example:cdlx:dddddddd-dddd-dddd-dddd-dddddddddddd
sub
- (Subject) A hex-encoded md5 digest of the JSON request body. Example:4b375c0634a01ce45d6e3de9379ff635
exp
- (Expiration) The expiration date of the token expressed in seconds since epoch number. Should be no more than 60 minutes in the future unless otherwise noted by the endpoint. Example:1590598276
jti
- (JWT ID) A randomly generated unique id for the token, typically a uuid. Example:eeeeeeee-ffff-e eee-ffff-eeeeeeeeeeee
sub
To create the sub
(A hex-encoded md5 digest of the JSON request body):
- Capture the raw JSON request body. This should be a UTF-8 encoded string.
- Create an md5 hash of the request body.
- Generate a JWT using your
secretKey
setting thesub
field to the md5 hash from (2)
JWT Signature
The JWT must be signed using the shared secretKey
assigned by Cardlytics. Cardlytics supports using JWTs generated with the
HS256
algorithm.
Example JWT
The header source to Base64Url encode.
1 2 3 4 |
|
The payload source to Base64Url encode. The subject json for this example: {"example":"value"}
which has an md5
hash of 4b375c0634a01ce45d6e3de9379ff635
.
1 2 3 4 5 6 |
|
The signature code
1 2 3 |
|
The following is an example JWT generated from the above data.
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJkb3NoOmRkZGRkZGRkLWRkZGQtZGRkZC1kZGRkLWRkZGRkZGRkZGRkZCIsInN1YiI6IjdmMTZkY2Y2OGVjMWYwZDFkZDZjMzE2NWE1NWJhNWRiIiwiZXhwIjoxNTkwNTk4Mjc2LCJqdGkiOiJlZWVlZWVlZS1mZmZmLWVlZWUtZmZmZi1lZWVlZWVlZWVlZWUifQ.RNDSifWcP5IMcmYybeh4cSBz8fBpOXYlpIKdtaUVTfw
HTTP Conventions
Cardlytics's API endpoints and webhooks adhere to standard HTTP status codes.
Below are the response codes that you may see when calling Cardlytics endpoints and webhooks.
HTTP Response Code | Description |
---|---|
200 OK |
Success. The request is understood and acknowledged. The body of the response may indicate additional context or error conditions. |
301 Moved Permanently 302 Found |
Cardlytics does not currently require clients to handle redirects. For future proofing, following 1 redirect for a request to Cardlytics is recommended |
401 Unauthorized |
Request does not include required credentials |
403 Forbidden |
Caller is not allowed to invoke the endpoint |
404 Not Found |
Cardlytics cannot locate the resource requested |
405 Method Not Allowed |
Cardlytics does not support the HTTP method requested. Note that most Cardlytics endpoints support POST only |
415 Unsupported Media Type |
Cardlytics does not understand the body of the request. Note that most Cardlytics endpoints support application/json only |
429 Too Many Requests |
Cardlytics is throttling requests from your client. Note that Cardlytics tries to never respond with this response code but may under extreme circumstances |
500 Internal Server Error |
An unknown or not-handled error |
501 Not Implemented |
Endpoint does not understand the request passed |
503 Service Unavailable |
The specific service is down for maintenance or other reasons |