Access to individual Liftoff OData API resources is restricted based on your admin user's permissions. For example, the Get order resource requires the View Orders permission. If an admin user is not assigned to a role with the View Orders permission, then using that admin user's API key to make a Get order request will result in a
403 Forbidden response.
Role permissions are managed via Roles on My Liftoff. Admin user role assignments are managed via Users. If you do not have access to role or user management, contact the owner of your Liftoff account.
- Create an admin role specifically for API access. Grant that role access only to the permissions required by the API methods you need.
- Create an admin user specifically for API access. Place that user in the admin role you created for API access.
- Use that admin user's API key for all API access.
- Regenerate that admin user's API key on a regular basis.
- Keep all API keys secret. Never include them in client-side code or anywhere else that is publicly accessible.