Authentication

Authentication

API Key Configuration

The TPP API uses API keys to authenticate requests. These keys are generated and managed from the TPP backoffice at app.thepowerplugin.com (opens in a new tab).

Accessing the Backoffice

  1. Log in to app.thepowerplugin.com (opens in a new tab)
  2. Navigate to Settings in the left sidebar menu
  3. Select the "API" tab to manage authentication keys

Types of API Keys

🔑 Main API Keys

These keys are used to authenticate all calls to TPP API endpoints.

Staging Mode (Testing)

  • Prefix: tpp_staging_
  • Format: tpp_staging_ceaeec76f5944f97a3e2c3c1fce6uu37
  • Usage: For development and testing without affecting live data

Live Mode (Production)

  • Prefix: tpp_live_
  • Format: tpp_live_ceaeec76f5944f97a3uygbe33442sd34
  • Usage: For production operations with real data

🖼️ Iframe Token (Marketplace)

This token is specific for marketplace integration via iframe.

Iframe Token

  • Prefix: tpp_iframe_staging_ or tpp_iframe_live_
  • Format: tpp_iframe_staging_c25bb8c0e1624b4bab5e67fbbbf524b5
  • Location: Settings → Marketplace → Iframe Token
  • Usage: To authenticate players in the embedded marketplace

Key Generation

Main API Keys

  1. Go to Settings → API in the backoffice
  2. Click "Create New Token"
  3. Copy the generated key (shown only once)
  4. Save the key securely

⚠️ Important: Creating a new key revokes the previous one. Make sure to update all integrations.

Iframe Token

  1. Go to Settings → Marketplace in the backoffice
  2. Activate the marketplace if not already activated
  3. Select "Iframe" as integration type
  4. Click "Create new Token" in the Iframe Token section
  5. Copy the generated token

Authentication Methods

HTTP Basic Auth (Recommended)

curl -u tpp_staging_ceaeec76f5944f97a3e2c3c1fce6uu37 \
  https://api.thepowerplugin.com/players

Bearer Token (For CORS)

curl -H "Authorization: Bearer tpp_staging_ceaeec76f5944f97a3e2c3c1fce6uu37" \
  https://api.thepowerplugin.com/players

In HTTP Headers

const headers = {
  'Authorization': 'Bearer tpp_staging_ceaeec76f5944f97a3e2c3c1fce6uu37',
  'Content-Type': 'application/json'
};

Implementation Examples

JavaScript/Node.js

const axios = require('axios');
 
const tppClient = axios.create({
  baseURL: 'https://api.thepowerplugin.com',
  headers: {
    'Authorization': 'Bearer tpp_staging_ceaeec76f5944f97a3e2c3c1fce6uu37',
    'Content-Type': 'application/json'
  }
});
 
// Usage example
async function getPlayers() {
  try {
    const response = await tppClient.get('/players');
    console.log(response.data);
  } catch (error) {
    console.error('Error:', error.response.data);
  }
}

Python

import requests
 
headers = {
    'Authorization': 'Bearer tpp_staging_ceaeec76f5944f97a3e2c3c1fce6uu37',
    'Content-Type': 'application/json'
}
 
response = requests.get(
    'https://api.thepowerplugin.com/players',
    headers=headers
)
 
print(response.json())

PHP

<?php
$apiKey = 'tpp_staging_ceaeec76f5944f97a3e2c3c1fce6uu37';
$url = 'https://api.thepowerplugin.com/players';
 
$headers = [
    'Authorization: Bearer ' . $apiKey,
    'Content-Type: application/json'
];
 
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
 
$response = curl_exec($ch);
curl_close($ch);
 
echo $response;
?>

Iframe Integration

Iframe Token for Marketplace

<iframe 
  src="https://app.thepowerplugin.com/marketplace?token=tpp_iframe_staging_c25bb8c0e1624b4bab5e67fbbbf524b5&playerId={PLAYER_ID}&establishmentId={ESTABLISHMENT_ID}"
  width="100%" 
  height="600px"
  frameborder="0">
</iframe>

Iframe Authentication

// Endpoint to authenticate player in iframe
const iframeAuth = await fetch('https://api.thepowerplugin.com/iframe/login', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    token: 'tpp_iframe_staging_c25bb8c0e1624b4bab5e67fbbbf524b5',
    playerId: 'player_123',
    establishmentId: 'est_456'
  })
});
 
const authResponse = await iframeAuth.json();
// authResponse.token contains the session token

Security and Best Practices

🔒 Key Security

⚠️ CRITICAL: Your API keys carry many privileges. Keep them secure:

  • Never share keys in public repositories (GitHub, GitLab, etc.)
  • Don't include keys in client-side code
  • Use environment variables to store keys
  • Rotate keys regularly
  • Monitor key usage

🌐 Connection Requirements

  • HTTPS only: All calls must be over HTTPS
  • HTTP will fail: Unencrypted HTTP calls will be rejected
  • Authentication required: Requests without authentication will fail

📊 Rate Limiting

  • Per-endpoint limits: Each endpoint has specific limits
  • Custom allocations: Limits tailored per account
  • Optimization: Designed for maximum performance

Troubleshooting

Error 401 - Unauthorized

{
  "error": "Unauthorized",
  "message": "Invalid API key"
}

Solution: Verify that the API key is correct and active.

Error 403 - Forbidden

{
  "error": "Forbidden", 
  "message": "Insufficient permissions"
}

Solution: The key doesn't have permissions for this operation.

Error 429 - Too Many Requests

{
  "error": "Rate Limited",
  "message": "Too many requests"
}

Solution: Reduce request frequency or contact support.

To get your API keys, go to app.thepowerplugin.com (opens in a new tab) → Settings → API

IntroductionIntegration