All communication with Tango API must be authenticated. The API authentication process validates the identity of the user attempting to connect to the server. The authentication protocol sends credentials from the remote user requesting access to the server. For an authentication account, reach out to one of our Technical Support specialists or email [email protected].
All calls require the platform’s authentication credentials. Authentication credentials are sent using HTTP Basic or OAuth authentication. Basic client credentials settings in Tango portal allows you to generate the platform name and API key, whereas, OAuth client credentials settings in Tango portal allows you to generate the client ID and a client secret.
The platform is responsible for handling access to its accounts such as not allowing ACC1 to place an order using ACC2 account. Requests from authenticated platforms against their accounts are implicitly trusted.
We do not allow browsers to POST calls. Attempts to do so, will result in an authorization error (403.001).
For best practices, we highly recommend to use non-browser tools for all API calls.
Never transmit your platform keys or client credentials via email or any other unsecured method. Design your system to allow for routine key changes. Change your keys immediately when employees who had access to the keys leave. If you suspect any suspicious activity on your platform, change your keys. We recommend to rotate to new keys on a schedule. The OAuth tokens are generated from client credentials and expire in 24 hours (86400 seconds). keys are managed through Tango portal. See how you can Retrieve client credentials and platform keys. For more information on industry best practices in this area see OWASP Top 10, #2
Tango may reject requests based on content or behavior that can be exploitative in nature. It includes requests containing insecure characters, or requests that are not consistent with OWASP Top 10 guidelines.
Network unpredictability, infrastructure, and supplier factors are occasional network errors and must be planned for. We recommend holding the connection open 15 seconds before terminating a call with no response.
We STRONGLY recommend that you utilize the idempotent "externalRefID" field to prevent the accidental duplication of orders.
Additionally, best practice is to build an exponential backoff or similar retry algorithm in which the timeout value for retry increases after each unsuccessful attempt. Please ensure that all retry attempts hold the connections open for 15 seconds before terminating the call.
For Tango API, we recommend Certificate Chain containing SSL/TLS and Certificate Authority (CA) for authentication:
* SSL/TLS Certificate
The communication with Tango API is handled over Transport Layer Security (SSL), a commonly-used protocol for managing secured message transmissions on the Internet. As a client of Tango API, make sure you have the Certificate Chain (an intermediate certificate) on you server. Not having the Certificate Chain disallows communication and can expose you to the potential man-in-the-middle attacks. To accomplish this purpose, we recommend you to add the Certificate Authority (CA) to your system’s trusted list. If that’s not possible, the alternative is to include the certificate in your application. Major CAs deliver a bundled file containing the complete Certificate Chain providing a single installation method for the certificate.
* Certificate Authority (CA)
Tango uses Amazon Web Services (AWS) to create our SSL certificates. You can get AWS’s root and intermediate certificates from AWS Docs: Server Authentication Certs. If you choose to reference the Certificate Chain from your application’s code, the details on how to do this are highly specific to the library being used to make the connection, but here are a few examples to demonstrate the idea:
Example 1: SSL for Ruby language
https = Net::HTTP.new('integration-api.tangocard.com', 443) https.use_ssl = true https.verify_mode = OpenSSL::SSL::VERIFY_PEER https.ca_file = File.join(File.dirname(__FILE__), "../ca_certs/AmazonRootCA1.pem") https.request_get('/fake/example')
Example 2: SSL for PHP language
$curl = curl_init('https://integration-api.tangocard.com/fake/example'); curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, true); curl_setopt($curl, CURLOPT_CAINFO, __DIR__ . "../ca_certs/AmazonRootCA1.pem"); curl_exec($curl);
Example 3: SSL for Python language
import requests from requests.auth import HTTPBasicAuth # SSL verify-peer is used by default. requests.get('https://integration-api.tangocard.com/fake/example', auth=HTTPBasicAuth(username, password))
Please note that in the Ruby and PHP examples OpenSSL is being instructed to “VERIFY PEER”. This setting is essential as without it you know that your communication is encrypted, but you don't know who you’re talking to.
Updated about 1 month ago