Authorization

This page explains how to securely connect your POS or integration to Qerko using authorization credentials.

To securely connect your POS or integration to Qerko, you must provide a Pos-Id and an API key.

How you provide them depends on your chosen interface. Instructions are provided for each parameter below.

Pos-Id

The Pos-Id is a token in UUID format that identifies your integration. Qerko needs to know who is on the other side of the connection. You will receive your production Pos-Id from Qerko after your integration passes certification.

The Pos-Id should not be user-configurable and should be kept reasonably secret. It will not change over time.

WebSocket interface

Send the Pos-Id once as part of the auth-request message.

REST API interface & Webhook interface

Send the Pos-Id as an HTTP header with every request. For example:

API key

The API key is a token that identifies the restaurant. Unlike the Pos-Id, this needs to be user-configurable.

You can generate your API key in Qerko’s Restaurant Admin.

Checksum

The API key has a built-in checksum so you can verify if it is valid.

function verifyApiKey(apiKey: string): boolean {
    const KEY_LENGTH = 29;
    if (apiKey.length != KEY_LENGTH) {
        return false;
    }
 
    const HASH_LENGTH = 4;
    let base = apiKey.substring(0, apiKey.length - HASH_LENGTH);
    let hash = apiKey.substring(apiKey.length - HASH_LENGTH);
 
    return hex(sha1(base)).toLowerCase().startsWith(hash);
}

WebSocket interface

Send the API key once as part of the auth-request message.

REST API interface & Webhook interface

Send the API key in the Authorization HTTP header with every request. The value should be prefixed with Bearer. For example:

Authorization: Bearer wzgd-lbq6-gp6y-xwef-7qrz-4757

Need help? Contact techsupport@qerko.com for assistance.