Authorization

This page explains how to securely connect your POS or integration to Qerko using authorization credentials.

To securely connect your POS or integration to Qerko, you must provide a Pos-Id and an API key.

How to provide them depends on your chosen interface. Instructions are provided for each parameter below.

Pos-Id

Pos-Id is a token in UUID format that identifies your integration. Qerko wants to know who is on the other side of the connection. You will receive your production Pos-Id from Qerko after your integration passes certification.

Pos-Id is not supposed to be user-configurable and should be kept reasonably secret. It will not change over time.

WebSocket interface

Send the Pos-Id once as part of the auth-request message.

REST API interface & Webhook interface

Send the Pos-Id as an HTTP header with every request. For example:

Pos-Id: d6d8236d-08de-478a-849c-b5084add6f25

API key

The API key is a token that identifies the restaurant. Unlike Pos-Id, this needs to be user-configurable.

You can generate your API key in Qerko’s Restaurant Admin.

Checksum

The API key has a built-in checksum so you can verify if it is valid.

function verifyApiKey(apiKey: string): boolean {
    const KEY_LENGTH = 29;
    if (apiKey.length != KEY_LENGTH) {
        return false;
    }
 
    const HASH_LENGTH = 4;
    let base = apiKey.substring(0, apiKey.length - HASH_LENGTH);
    let hash = apiKey.substring(apiKey.length - HASH_LENGTH, HASH_LENGTH);
 
    return hex(sha1(base)).toLowerCase().startsWith(hash);
}

WebSocket interface

Send the API key once as part of the auth-request message.

REST API interface & Webhook interface

Send the API key in the Authorization HTTP header with every request. The value should be prefixed with Bearer. For example:

Authorization: Bearer eeeu-g786-zp54-3v1c-db02-e4e1

Need help? If you get stuck or have questions, email us at techsupport@qerko.com—we’re here for you!