Authorization

​

Understanding Authorization

Authorization within the Phishy API is managed through permissions assigned to each API key. Not all users will have access to all functionalities; access is granted based on the permissions associated with the user’s API key.

​

Permission Requirements

When your application makes a request to the Phishy API, the system checks whether the API key included in your request has the necessary permissions to perform the requested action. If the API key lacks the required permissions, the server will respond with a 403 Forbidden status.

​

Handling 403 Forbidden Errors

A 403 Forbidden status indicates that the API key used in the request does not have the necessary permissions to access the endpoint or perform the action. For example:

• If you attempt to create a campaign but your API key does not have campaign_write permission, the API will return a 403 Forbidden error.

HTTP/1.1 403 Forbidden
Content-Type: application/json

{
  "error": "Access Denied",
  "message": "You do not have the required permissions to perform this action."
}

​

Best Practices

• Regularly review and manage the permissions of your API keys.
• Handle 403 Forbidden errors gracefully in your application, informing users when they do not have access to specific operations. By understanding and implementing proper authorization checks, you can ensure that your application interacts securely and effectively with the Phishy API.