Page tree
Skip to end of metadata
Go to start of metadata

Some MyTimetable sites will require applications to use an API token when doing API calls. This token can then be used to monitor an application's API usage and limit the amount of requests by a specific application (and thus the load placed on the servers).

If an API token is required, it should be included in every request in the HTTP request header apiToken. An example using the excellent command-line HTTP testing tool curl:

$ curl -i -H apiToken:testToken
HTTP/1.1 200 OK
Server: nginx/1.1.19
Date: Mon, 10 Dec 2012 21:21:21 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive


Please keep your API token a secret. This means you should only use it server-side, and any client-side requests (for instance from a mobile or Javascript application) should be proxied through your own web server.

Elevated access

In some cases an API token will be granted an impersonation privilege. Using such an API token it is possible to retrieve the personal data of any user, without prior consent from the user (and thus without an OAuth token). In these cases the application should send an extra header, requestedAuth, specifying the user name of the user to impersonate.

  • No labels