API Key Access & Security

Authentication

An API key is required to authenticate requests towards the Drive API. Every API request must include the API key in the X-API-Key header.

If the API key is missing or invalid, the request will be rejected with a 401 Unauthorized response.

Authorization

API keys enforce role-based access control by defining which endpoints and operations the key can access. Each key can be configured with specific permissions, granting access to different API functionalities such as:

• Geosearch (Searching for charge points)
• User Management (Users, User Groups)
• Charging Keys (Management, Orders)
• Payments & Subscriptions
• Sessions

If an API key lacks the necessary permission for an operation, the API will return a 403 response.

Security Measures

• Encryption in Transit: All API communications are secured using HTTPS, ensuring that data—including your API key—is encrypted during transit.
• Secure Storage: API keys are stored securely on our side within a protected database environment, ensuring that keys remain confidential and are safeguarded against unauthorized access.

You can obtain the API key from the Control Panel for both stage and production environments (ask your CSM for access).

⚠️

API Key considerations

• Keep it secure: Store your API key in a safe location and do not expose it in client-side code or public repositories.
• Do not share your API key: Your API key grants access to sensitive operations. Sharing it may lead to unauthorized access and potential misuse.

Diagram

Here is a diagram showing how API Key authentication and authorization works on Drive API:

Security of webhooks

If you want to be sure that Session events and CDRs are emitted by Plugsurfing, please check the Verify HMAC Signatures guide.