This is a multi-page printable view. Click here to print.

Collector Service

Developer information about Collector Service API

Table of contents

1. Authentication & Authorization
2. Token Management
3. Enrollment endpoint
4. Summary endpoint
5. Profile endpoint
6. Open API Specification (Swagger)

The purpose of this documentation is to provide a guide on how to integrate with the AIR MILES Collector Service API.
As part of this documentation it’s included information on RESTful HTTPS requests/responses and error codes for each endpoint.

Target audience

This material is intended to be used by a Partner wishing to integrate with the AM Collector Service API.

What is the Collector Service API?

The Collector Service API provides REST-based services for enrolling new members and looking up the profile and summary information of existing members.

Integration environments

There are two sets of environments used by partners to integrate with the real-time checkout platform. These environments are configured similarly for consistent production-level quality, whether the partner has deployed to production or is still performing non-production testing.

Environment	Domain	Description
Certification	https://cert.airmilesapis.ca	Contains production quality code and test data used for developing and testing 3rd party integrations.
Production	https://airmilesapis.ca	Contains production code and live user data for real-world 3rd party integrations.

Endpoints

Enrollment (POST): <domain>/collectors
Summary (GET): <domain>/collectors/{collector-number}/summary
Profile (GET): <domain>/collectors/{collector-number}/profile

Your AMRP project team

In preparation for launch, an AIR MILES team is pulled together to assist Partners with integration and setup. This team will provide the following services:

Consulting Partners on the best technical solution to support AIR MILES Issuance based on system compatibility.
Providing guidance for assessing Partner requirements, data exchange methods, and reconciliation.
As well as overseeing a broad range of activities to meet the requirements of launch, including:
- Planning
- Communications
- Delivery
- Execution
- Monitoring

1 - Authentication & Authorization

The AIR MILES security layer granting access to member APIs and associated services.

For more information on “Auth0” and the various authentication flows, click the button below.

2 - Token Management

This section provides information about sample calls of how to follow the OAuth2.0 Authorization Code Flow.
It will provide information on how to generate an authorization code, exchange the authorization code to a token such as access token, refresh token and id token, and utilize the access token to call our APIs.
It will also show how to use a refresh token to get a new access token.

Generating an Authorization Code

Generate an Authorization Code by redirecting your customer to our universal login page.

(Fig. 1) AIR MILES universal log in page

Sample Authorization Request

<a href="https://oauth-cert.airmiles.ca/authorize?
    client_id=knPgPn56gZhdFEIZV27QevLkx&
    response_type=code&
    connection=member-email-idp-recaptcha&
    redirect_uri=https://your_redirect_uri/callback&
    scope=collector%3Asummary%3Aread%20offline_access&
    audience=loyalty-api">
  Sign In
</a>

Parameter	Description
`client_id`	To be provided by AIR MILES.
`response_type`	Do not change, keep as `code`.
`connection`	Do not change, keep as `member-email-idp-recaptcha`.
`redirect_uri`	The URL which Auth0 will redirect the browser to, and send the authorization code. Note The address must be a valid callback URI, and needs to be communicated to AIR MILES at the same time your `client_id` is being setup.
`scope`	Summary API requires scope `collector:summary:read`. Profile API requires scope `collector:profile:read`. Enrollment API requires scope `collector:enrollment:write`. Note The `offline_access` scope enables the use of Refresh Tokens and is optional
`audience`	To be provided by AIR MILES.

Sample Authorization Response

Once your customer authenticates themselves, a response will be sent to the redirect URI that includes an Authorization Code.

HTTP/1.1 302 Found
Location: https://your_redirect_uri/callback?code=6hgDftTGH656HEDLdfOPA43nmsR5GuqG

Exchange Authorization Code to Token

An Access Token is required to communicate with the Collector Service API.
To generate an Access Token (aka JSON Web Token), make an API request like the one shown below.

WARNING

The exchange authorization code to token request MUST originate from your backend in order to maintain the security of the OAuth2.0 Authorization Code Exchange.
If the request originates from a web browser this means your client_secret has been exposed to the public, at which point you MUST IMMEDIATELY let Airmiles Partner Ops know and request a new client secret.

Sample Token Request

curl --request POST \
  --url 'https://oauth-cert.airmiles.ca/oauth/token' \
  --data-urlencode 'grant_type=authorization_code' \
  --data-urlencode 'client_id=knPJldKv8ygPn5ZV27QevLkx' \
  --data-urlencode 'client_secret=lfgdFGDF454FdDFffdl7h8J43s' \
  --data-urlencode 'code=6hgDftTGH656HEDnmsR5GuqG' \
  --data-urlencode 'redirect_uri=https://your_redirect_uri/callback'

Parameter	Description
`grant_type`	Do not change, keep as `authorization_code`.
`client_id`	The `client_id` used in the previous step.
`client_secret`	To be provided by AIR MILES.
`code`	The Authorization Code (i.e., `code`) returned in the last step.
`redirect_uri`	The `redirect_uri` used in the previous step.

Sample Token Response

If all goes well, you’ll receive a (HTTP 200) JSON response with a payload containing an access_token, refresh_token, id_token, and token_type.

{
  "access_token": "eyJz93a409sSwFG8kkIL2qsGHk4laUWw",
  "refresh_token": "GE5g5HJdbYb47HN358polTHdf3tHf3ra",
  "id_token": "eyKMD32ldkgfkDYKL4h6hf33edHGSDKk",
  "token_type": "Bearer"
}

Notes on Refresh Tokens

The refresh_token will only be present in the response if you included the offline_access scope.
Refresh Tokens must be stored securely since they allow a user to remain authenticated essentially forever.

JSON Web Token (JWT) structure

The JWT consists of three concatenated Base64url-encoded strings, separated by dots “.”.

String	Description
Header	Contains metadata about the type of token and the cryptographic algorithms used to secure its contents.
Payload	Contains verifiable security statements, such as the Collector ID and the allowed scopes.
Signature	Used to validate that the token is trustworthy and has not been tampered with.

Calling the Collector Service API

Finally, for instance, to display the Collector’s summary, make an API request using the Access Token received in the previous step.

Sample API Request

curl -X GET \
  `https://cert.airmilesapis.ca/collectors/:collector-number/summary` \
  -H 'Authorization: Bearer eyJz93a409sSwFG8kkIL2qsGHk4laUWw' \

Tip

Make sure to include the word Bearer before the token, as shown in the example above.

Using a Refresh Token

Typically, a user needs a new access token when gaining access to a resource for the first time, or after the previous access token granted to them expires.

A refresh token is a special kind of token used to obtain a renewed access token.
You can request new access tokens until the refresh token is blacklisted.
Applications must store refresh tokens securely because they essentially allow a user to remain authenticated forever.

Note

To successfully obtain a refresh token, you must first have included the offline_access scope when you initiated your authentication request through the ../authorize endpoint, as shown in Step 1.

To exchange the Refresh Token you received during authorization for a new Access Token, make a POST request to https://oauth-cert.airmiles.ca/oauth/token, using grant_type=refresh_token as seen in the example below.

Important

You should only ask for a new token if the access token has expired or you want to refresh the claims contained in the ID token.
For example, it’s bad practice to call the endpoint to get a new access token every time you call an API.

There are rate limits in Auth0 that will throttle the number of requests to this endpoint that can be executed using the same token from the same IP.

Sample ‘Refresh Token’ Request

curl --request POST \
  --url 'https://oauth-cert.airmiles.ca/oauth/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=refresh_token \
  --data-urlencode 'client_id=knPJldKv8ygPn56gZhdFEIZV27QevLkx' \
  --data-urlencode client_secret=lfgdFGDF456fFDFV4FdDFffdl7h8J43s \
  --data refresh_token=YOUR_REFRESH_TOKEN

Parameter	Description
`grant_type`	Do not change, keep as `refresh_token`.
`client_id`	To be provided by AIR MILES.
`client_secret`	To be provided by AIR MILES.
`refresh_token`	The Refresh Token to use.

Note

The scopes requested in the initial request are included by default in the Refresh Token.

Sample ‘Refresh Token’ Response

If all goes well, you’ll receive an HTTP 200 response with a payload containing a new access_token, its lifetime in seconds (expires_in), granted scope values, and token_type. If the scope of the initial token included openid, then the response will also include a new id_token:

The response will include a new Access Token, its type, its lifetime (in seconds), and the granted scopes.
The scope used in the request scope should also be included in the response as well.

{
  "access_token": "eyJz93a409sSwFG8kkIL2qsGHk4laUWw",
  "scope": "collector:summary:read offline_access",
  "id_token": "eyKMD32ldkgfkDYKL4h6hf33edHGSDKk",
  "token_type": "Bearer"
}

3 - Enrollment endpoint

Developer information about Enrollment endpoint of Collector Service API

Enrollment endpoint

This operation processes an enrollment request.
It will take full PII or partial PII and create an AM account.

This endpoint can be called for multiple use cases. Please contact Partner Support partnersupport@loyalty.com for advice on what is mandatory for each use case.

POST /collectors/

Sample request

Request header parameters

Name	Type	Example	Description	Required?
Content-Type	String	“application/json”		Yes
Authorization	String	“Bearer eyJhbGciOiJSUzI1NiIsIn-XXXXXXXXXXXXzzbEhulG9Dy2587TDhbtJXYQtm4AmKM2sexKkHHSg”	Authorization JWT	Yes

Request body

Parameter	Required?	Type	Example	Description
personalDetails	No	Object	personalDetails{ “firstName”: “Jane”, “middleName”:“Nad”, “lastName”: “Doe”, “dateOfBirth”:“1988-12-25”, “gender”:“FEMALE”, “title”:“MRS” }	Personal details of the collector.
firstName	Yes	String	“Jane”	Collector’s first name
middleName	No	String	“Nad”	Collector’s middle name
lastName	Yes	String	“Doe”	Collector’s last name
suffix	No	String	“Jr”	Letter(s) added to the end of a name for additional information
dateOfBirth	Yes	Date	“1988-12-25”	Collector’s date of birth in YYYY-MM-DD format.
gender	No	String	“FEMALE”	Collector’s gender
title	No	String	“MRS”	Courtesy collector’s title
contactDetails	Yes	Object	contactDetails{“email”: “airmiles@loyalty.com”, “phones : [{“type”: “Home”, “number”: “4162265171”, }, {“type”: “Mobile “, “number”: “9052261234” } ] }	Collector’s contact info
email	Yes	String	“airmiles@loyalty.com”	Collector’s email address
phones	No	Array	phones : [{“type”: “Home”, “number”: “4162265171”, }, {“type”: “Mobile “, “number”: “9052261234” } ]	Collector’s phone numbers.
type	No	String	“Home”	Type of phone number.
number	No	String	“4162265171”	Collector’s phone number.
addresses	No	Array	addresses : [{“type”: “Home”, “line1”: “250”, “line2”: “Unit 5”, “line3”: “subunit 3”, “city”: “Toronto”, “province”: “ON”, “country”: “CAN”, “postalCode”: “M5B2L7” }]	Collector’s addresses.
type	Yes	String	“Home”	Type of address.
line1	Yes	String	“250 Yonge St.”	Part 1 of the address.
line2	No	String	“Unit 5”	Part 2 of the address.
line3	No	String	“Subunit 3”	Part 3 of the address.
city	Yes	String	“Toronto”	City of the address.
province	Yes	String	“ON”	Province of the address.
country	Yes	String	“CAN”	Country of the address.
postalCode	Yes	String	“M5B2L7”	Postal code of the address.
preferenceDetails	No	Object	preferenceDetails{“language”: “ENGLISH”, “instantRedemptionSuppression”: false}	Collector’s preference details.
language	Yes	String	“ENGLISH”	Collector’s preferred language.
instantRedemptionSuppression	No	Boolean	false	AM lock.
enrollmentScheme	Yes	String	“DIGISAMSUN”	10-character Enrollment Scheme code.
source	No	String	“IMPCONONGO”	10-character Email Source code.
channel	Yes	String	“WEB”	Where the request is coming from. WEB, MOBAPP, BAT

4 - Summary endpoint

Developer information about Summary endpoint of Collector Service API

Summary endpoint

This operation processes a summary request.
This will provide basic information of a collector.

GET /collectors/{collectorNumber}/summary

Sample request

No request body

Request header parameters

Name	Type	Example	Description	Required?
Content-Type	String	“application/json”		Yes
Authorization	String	“Bearer eyJhbGciOiJSUzI1NiIsIn-XXXXXXXXXXXXzzbEhulG9Dy2587TDhbtJXYQtm4AmKM2sexKkHHSg”	Authorization JWT	Yes

Query/Path parameters

Name	Type	Example	Description	Required?
collectorNumber	path	“89085726604”	Collector number to consult	Yes

5 - Profile endpoint

Developer information about Profile endpoint of Collector Service API

Profile endpoint

This operation processes a profile request.
This will provide profile information and account details.

GET /collectors/{collectorNumber}/profile

Sample request

No request body

Request header parameters

Name	Type	Example	Description	Required?
Content-Type	String	“application/json”		Yes
Authorization	String	“Bearer eyJhbGciOiJSUzI1NiIsIn-XXXXXXXXXXXXzzbEhulG9Dy2587TDhbtJXYQtm4AmKM2sexKkHHSg”	Authorization JWT	Yes

Query/Path parameters

Name	Type	Example	Description	Required?
collectorNumber	path	“89085726604”	Collector number to consult	Yes

6 - Open API Specification (Swagger)