Authentication
CANSKAN supports two types of API access: public endpoints that require no authentication, and authenticated endpoints that require an API token.
Public API (No Token Required)
Public endpoints can be accessed without any authentication. These are designed for:
- Displaying user profiles when their QR code is scanned
- Event registration pages
- Self-service check-in
Simply make requests to the public endpoints without any authorization header:
curl https://api.canskan.com/p/abc123def456Public Endpoint Rate Limits
Public endpoints are rate-limited to 10 requests per minute per IP address.
Authenticated API (Token Required)
For organization-level access, you need an API token. API tokens provide:
- Higher rate limits (60 requests/minute)
- Access to organization data
- Webhook management
- Attendee management
Obtaining an API Token
Step 1: Access Your Organization
- Log in to your CANSKAN dashboard at canskan.com
- Navigate to your organization
Step 2: Go to Developer Settings
- Click on Developers in the organization menu
- Select API Tokens
Step 3: Create a New Token
- Click Create Token
- Enter a descriptive name for your token (e.g., "Production Server", "Development", "CI/CD Pipeline")
- Select an expiration period:
- 7 days
- 30 days
- 90 days (recommended)
- 1 year
- Never (not recommended for production)
- Click Create
Step 4: Copy Your Token
Important: Copy your token immediately after creation. For security reasons, the full token is only displayed once and cannot be retrieved later.
If you lose your token, you'll need to create a new one.
Using Your API Token
Include your API token in the Authorization header of every request:
Authorization: Bearer your_api_token_hereCode Examples
Token Security Best Practices
Do
- Store tokens in environment variables or secure secret management systems
- Use different tokens for development and production environments
- Set appropriate expiration dates for your use case
- Rotate tokens periodically
- Revoke tokens immediately if they may have been compromised
Don't
- Commit tokens to version control
- Share tokens in plain text via email or chat
- Use tokens with "Never" expiration in production
- Use the same token across multiple applications
- Log tokens in application logs
Environment Variables Example
# .env file (never commit this!)
CANSKAN_API_TOKEN=your_api_token_here// Node.js
const token = process.env.CANSKAN_API_TOKEN;// PHP/Laravel
$token = env('CANSKAN_API_TOKEN');# Python
import os
token = os.environ.get('CANSKAN_API_TOKEN')Authentication Errors
401 Unauthorized
Returned when the token is missing, invalid, or expired.
Missing token:
{
"message": "API token required."
}Invalid token:
{
"message": "Invalid API token."
}Expired token:
{
"message": "API token has expired."
}403 Forbidden
Returned when the token is valid but lacks the required permissions.
{
"message": "Token does not have required permissions."
}Token Management
Viewing Your Tokens
Go to Developers > API Tokens to see all your tokens. For each token, you can see:
- Token name
- Creation date
- Last used date
- Expiration date
Revoking a Token
If a token is compromised or no longer needed:
- Go to Developers > API Tokens
- Find the token you want to revoke
- Click Delete
- Confirm the deletion
The token will be immediately invalidated and any requests using it will fail.
Rate Limiting
Authenticated requests have higher rate limits than public requests:
| Request Type | Rate Limit |
|---|---|
| Public (no token) | 10 requests/minute |
| Authenticated | 60 requests/minute |
Rate limit information is included in response headers:
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 59
X-RateLimit-Reset: 1732099200When you exceed the rate limit, you'll receive a 429 Too Many Requests response:
{
"message": "Too Many Attempts."
}Next Steps
Now that you understand authentication, explore the authenticated API endpoints:
- Webhooks - Receive real-time notifications for events in your organization