API Security Tokens

Access to the Offers API is controlled by two different means. When users on Maersk controlled sites, like Maersk.com, query information supplied by the Offers API, a ForgeRock JWT token with the user credentials is used. When customer direct access solutions or 3^rd party platforms consumes the Offers API endpoints they need to supply an api-key assigned to them during the onboarding process (see more about this in the Onboarding Guide).

Some endpoints support both authentication models, but some only support one or the other. The endpoint descriptions will contain information about which authentication model is supported, as will the swagger api-docs.

Consumer key

The Consumer key must be supplied in an Consumer-key header with a value of <consumer-key>.

Header	Value
Consumer-key	Fep6ztlGHf2of91X0ddxzm2GpadFPKg4

Security Error Codes when using Consumer key

HTTP 401 Unauthorized

If neither a ForgeRock JWT nor an Consumer key is present in the request, the API will respond with a HTTP 401 Unauthorized status code. This also occurs if the Consumer key is not recognized by the Offers API.

HTTP 403 Forbidden

If the Consumer key has been revoked, the Offers API will respond with a HTTP 403 Forbidden. Which will also be the response status code if a Consumer key has been used with an endpoint that does not support access with a Consumer key.

ForgeRock JWT

The ForgeRock OAuth 2.0 JWT tokens must be supplied in an Authorization header with a value of Bearer <token>.

Header	Value
Authorization	Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1N...

Security Error Codes when using ForgeRock JWT

HTTP 401 Unauthorized

If neither a ForgeRock JWT nor a Consumer key is present in the request, the API will respond with a HTTP 401 Unauthorized status code. This also occurs if the ForgeRock OAuth 2.0 token cannot be validated or has expired.

HTTP 403 Forbidden

If the access for the user authenticated in the OAuth 2.0 JWT tokens has been revoked a response with status code HTTP 403 Forbidden will be used.