Authentication
Secure access to the RCManager API with OAuth 2.0 and API keys
Secure API Access
RCManager's API uses industry-standard authentication methods to protect your data and ensure secure access. Choose between OAuth 2.0 for user-centric applications or API keys for server-to-server integrations. With fine-grained permissions, rate limiting, and token management, you have complete control over who accesses your RC data and what they can do with it.
OAuth 2.0
User authorization
API Keys
Server access
Encrypted
TLS everywhere
OAuth 2.0 Authentication
User Authorization Flow
OAuth 2.0 allows users to authorize your application to access their RCManager data:
Authorization Flow
- 1Redirect to Authorization URL
Send user to RCManager's authorization endpoint
- 2User Grants Permission
User reviews and approves requested scopes
- 3Receive Authorization Code
RCManager redirects back with temporary code
- 4Exchange for Access Token
Trade authorization code for access token
https://api.pro-pitbox.com/oauth/authorize? client_id=YOUR_CLIENT_ID& redirect_uri=https://yourapp.com/callback& response_type=code& scope=vehicles:read parts:write& state=RANDOM_STATE_STRING
POST /oauth/token Content-Type: application/x-www-form-urlencoded grant_type=authorization_code& code=AUTHORIZATION_CODE& client_id=YOUR_CLIENT_ID& client_secret=YOUR_CLIENT_SECRET& redirect_uri=https://yourapp.com/callback
API Key Authentication
Server-to-Server Access
API keys provide simple authentication for server applications and scripts:
Creating API Keys
- 1. Go to Settings → API Keys
- 2. Click "Generate New Key"
- 3. Set permissions and expiration
- 4. Copy and secure your key
Key Properties
- Scoped permissions
- Optional expiration
- IP whitelisting
- Usage analytics
# Include API key in Authorization header
curl -H "Authorization: Bearer ppb_live_a1b2c3d4e5f6..." \
https://api.pro-pitbox.com/v1/vehicles
# Or as a query parameter (less secure)
curl https://api.pro-pitbox.com/v1/vehicles?api_key=ppb_live_a1b2c3d4e5f6...Security Note: Always use HTTPS and prefer header authentication. Never commit API keys to version control.
Scopes and Permissions
Fine-Grained Access Control
Request only the permissions your application needs:
| Scope | Description | Access Level |
|---|---|---|
| vehicles:read | View vehicle profiles and specs | Read |
| vehicles:write | Create and modify vehicles | Write |
| parts:read | View parts inventory | Read |
| parts:write | Manage parts inventory | Write |
| maintenance:read | View maintenance records | Read |
| maintenance:write | Create maintenance tasks | Write |
| analytics:read | Access analytics data | Read |
| webhooks:write | Configure webhooks | Write |
Best Practice: Request minimum required scopes. Users are more likely to approve limited permissions.
Token Management
Access Tokens
Short-lived tokens for API access:
Token Properties
- • Expires in 1 hour
- • JWT format
- • Contains user/app info
- • Signed and verifiable
Token Response
{
"access_token": "eyJhbGc...",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "rcm_refresh_...",
"scope": "vehicles:read parts:write"
}Refresh Tokens
Long-lived tokens to obtain new access tokens:
POST /oauth/token Content-Type: application/x-www-form-urlencoded grant_type=refresh_token& refresh_token=rcm_refresh_a1b2c3d4e5f6...& client_id=YOUR_CLIENT_ID& client_secret=YOUR_CLIENT_SECRET
Security Best Practices
Keep Your Integration Secure
Common Authentication Errors
401 Unauthorized
Missing or invalid authentication credentials
- • Check API key or access token is included
- • Verify token hasn't expired
- • Ensure proper Authorization header format
403 Forbidden
Valid credentials but insufficient permissions
- • Verify requested scopes are authorized
- • Check API key permissions
- • Confirm resource access is allowed
400 Bad Request
Invalid OAuth flow parameters
- • Verify redirect_uri matches registered URL
- • Check all required parameters are included
- • Ensure authorization code is valid
Start Authenticating
Ready to implement authentication? Here's what to do next: