Access tokens

Once an application has been authorized, it has an access token. The access token must be sent with every request to the FotoWeb API. For example, the following request can be used to get the full API descriptor, which is the main entry point of the FotoWeb API:

GET https://myfotowebserver.com/fotoweb/me
Accept: application/vnd.fotoware.full-api-descriptor+json
Authorization: Bearer ACCESS_TOKEN

where Authorization is a standard HTTP header and TOKEN is an access token obtained using OAuth. The process of obtaining an access token is explained below.

It is also possible to send the bearer token as a query string parameter, for example, as follows:

GET /fotoweb/me?access_token=TOKEN

This approach is secure, but not recommended for regular API requests. It is useful, for example, when embedding image URLs obtained via an API request in a HTML image tag.

Some reverse proxy servers, such as NGINX, remove the Authorization header before forwarding the request to the back-end (FotoWeb) server. If you get authentication errors (such as 401 responses) in your API requests using bearer tokens, then this may be the case. To resolve the problem:

If you control the reverse proxy server, consult its documentation, and configure it to pass through the Authorization header. For example, in NGINX, you can use the following configuration options:

proxy_set_header Authorization $http_authorization;
proxy_pass_header Authorization; 

• If you do not have access to the server, contact the server's administrator about the issue.
• If you are connecting directly to a FotoWeb SaaS tenant, then the problem is likely caused by something else (such as an invalid access token). If you cannot find a solution, contact Fotoware Support.