Guides
For Advertisers
Start typing to search…

Start Session

Learn the process for initiating and authenticating a session with the Cardlytics Publisher Rewards API

Abstract

This document outlines the process for initiating and authenticating a session with the Cardlytics Publisher Rewards API via the /v2/session/startSession endpoint. It details the required authentication credentials, headers, payload structure, error handling, token management, and recommended security practices for client integration.

Summary

To start a session with the Cardlytics Publisher Rewards API, clients must send a POST request to /v2/session/startSession with a JSON payload containing their clientId and secret. The request must include the Content-Type: application/json header and an x-source-customer-id header containing an anonymized customer ID (See Security Requirements section below).

Note: For users who are not registered or logged in, but you still want to present the Cardlytics Rewards experience and its offers, pass "no-user-available" as the value for the x-source-customer-id header.

How To Start a Session

Get Session Token (Authentication)

POST /v2/session/startSession

Hostname :https://publisher-rewards-api.cardlytics.com

To authenticate and begin your session, you'll need to provide the following credentials in a secure POST request:

Request Headers:

  • Content-Type: application/json
  • *x-source-customer-id: string

Note: Refer to the Security Requirements section on suggestions to secure the x-source-customer-id.

Request Payload:

  • clientId: Your unique clientId provided by Cardlytics.
  • secret: A secure secret key shared with you by Cardlytics.

Request Payload Sample:

{
  "clientId": "String",
  "secret": "String"
}

Response

On successful authentication, the API will provide a bearer token that you can use to access our services.

Token Details:

  • Bearer Token Validity: The token is valid for 15 minutes from the time of issue and SDK will handle the token refresh.

  • Providing an invalid clientId or clientSecret the API will return a 500 Internal Server Error.

  • If your token expires, all subsequent API requests will return a 401 Unauthorized response indicating that the session is no longer valid.

  • To continue accessing the API, you must request a new token using the same token generation endpoint (POST /v2/session/startSession).

Security Requirements

x-source-customer-id

It's important that the customer ID value passed in using the x-source-customer-id header is obfuscated and does not have any personally identifiable information (PII), such as username, user email, and similar type of identifiers. If necessary, to achieve this, we recommend using the SHA-256 algorithm to ensure anonymity.

Updated 3 days ago