Skip to main content

Authentication & Authorization

The system distinguishes between public endpoints serving frontend client applications and administrative endpoints requiring strict security checks.

🌎 Public Access

Most read-only queries are public, allowing frontends to fetch customer-facing datasets without API key configuration:

Endpoints:
- /api/customers/:slug
- /api/portfolio/:slug
- /api/transactions/:slug
- /api/stats/:slug
- /api/analytics/:slug
- /api/aggregate/:slug
- /api/brokers
Security Model: Data isolation is enforced by the unique identifier slug assigned to each customer. Slugs are randomized or hashed to prevent scraping.

🔒 Administrative Access

Operations modifying the system state or executing heavy backend sync actions must be authenticated using an API Key.

Endpoints: POST /api/sync (Manual delta synchronization).
Authentication Header: X-Admin-Key.
Configuration: The API Key is securely stored as an environment variable (Secret) ADMIN_API_KEY on Cloudflare Workers.

Gaining Admin Access

You must attach the X-Admin-Key header with the configured secret value to your HTTP requests:

curl -X POST "https://api.hocchungkhoan.com.vn/api/sync" \
  -H "X-Admin-Key: your-secret-admin-key"

Authentication Errors

If the header is missing or its value does not match the server configuration, the API returns a 401 Unauthorized response:

{
  "success": false,
  "error": "Unauthorized"
}

🌎 Public Access
🔒 Administrative Access
- Gaining Admin Access
- Authentication Errors