|
If you find errors or omissions in this document, please don’t hesitate to submit an issue or open a pull request with a fix. We also encourage you to ask questions and discuss any aspects of the project on the mailing list or in the chat room. New contributors are always welcome! |
20/12/2021, v1.0, initial release
1. Introduction
The api gateway is a place where European Reliance’s API’s of web services as APIs are exposed together with a portal help site for developers.
Behind the gateway, exposed, are our enterprise insurance services, which can be used by external developers, for applications that produce and consume insurance data, consumed by external parties.
Namely, it is, at the moment:
- mtr-api
-
Service for vehicle insurance application and policy processing, pricing, quoting plus more.
- fire-api
-
Service for fire insurance application and policy processing, pricing, quoting plus more.
- parameters-api
-
Service for listing common parameters among many services
2. API gateway
In front of all the services there is a common layer called gateway. It is enforcing constraints common to all services like security, accounting and rate limiting.
Gateway is responsible for:
-
The first level of authentication and authorization of every call to the internal services
-
Counting the invocations and rate limiting them.
It is essentially the gateway guard that every call must show its credentials in order to pass.
| Each API call passes from two levels of authentication and authorization. |
2.1. Authentication and authorization
-
First level: each call is being checked to see two things. if it contains an API key that is authorized to access the specified API resource and if it obeys some specified rate limiting access rules. If it doesn’t then a specific gateway error response is returned (see General Web Service Errors and Web Service Rate Limits).
-
Second level: Depending on the service, each call is checked if it contains an Authorization header with a valid Bearer token.
| An authorization token is fetched first from a specific service endpoint. |
If a company user wants to use an externally provided program (your program) he must first authorize it to impersonate him by following a specific procedure through our company’s portal.
Within that procedure the user publishes a user-key, a 40 character key, that ties his identity with the identity of your program. This bond can be enabled, disabled, deleted, and recreated by the user whenever he wants.
The user is instructed to deliver this user-key to your program in order for you to use it for the purpose of obtaining an authorization token from the API.
This authorization token together with your api-key must be supplied as header parameters with any API call.
2.1.1. First check
At first, you must obtain an API key that uniquely identifies you, by following the procedure of signing up. After approval you will be given access to certain provided APIs.
2.1.2. Second check
The second level of authorization is the API specific authorization. Each call is checked to see if it contains an authorization header. If not then a 401 Unauthorized error response is returned.
The authorization header is an “Authorization: Bearer xxxxxxxxxxxxxxxxxxxxxxxx” where the xxxx part is the token and is obtained by accessing a specific “tokens” address (see later).
Steps
|
Please take care of your api-key, the client user-key and the resulting authorization tokens are to be stored safely and never be shared with third parties. Use always secure communication protocols
Our services are served under HTTPS only. If you believe that your api-key or any other key or token got leaked to the outside world contact us immediately. We will disable them and supply you with new one. If we don’t disable them, they may be used in an illegal way by a third party without us having a way to differentiate a valid usage from an invalid one. If you want your api-key to be tied permanently with your IP for added security, contact us. |
2.2. API Key Usage
After signing up, you’ll be given your own, unique API key which is a 40 character string. The key:
-
Uniquely identifies you.
-
Gives you access to europisti.gr’s web services.
-
Should be kept private and should not be shared.
The API may be used several ways. In order of precedence:
Pass the API key into the X-api-key header:
curl -H 'X-api-key: DEMO_KEY' "https://gateway.europisti.gr/dev/parameters-api"To use your key, simply pass the key as a URL query parameter when making Web service requests. For example:
curl https://gateway.europisti.gr/dev/parameters-api/?api_key=YOUR_KEY"Regardless of the HTTP method being called, the API key can always be passed as a GET parameter in the URL query. So even if you are POSTing or PUTing to a specific service, the api_key query parameter can be supplied in the URL query parameters.
Depending on your usage, it can sometimes be easier to pass the API key along as HTTP Basic authentication. If you want to use this method, pass your API key in as the username, while leaving the password blank. For example:
curl "http://YOUR_KEY_HERE@gateway.europisti.gr/dev/parameters-api"2.3. Web Service Rate Limits
Daily and hourly rate limits on accessing europisti.gr’s web services.
There is a limit on the number of europisti.gr web service requests you can make using your API key. Rate limits may vary by service, but the defaults are:
Hourly Limit: 1,000 requests per hour
For each API key, these limits are applied across all europisti.gr web services requests. Exceeding these limits will lead to your API key being temporarily blocked from making further requests. Depending on the limit exceeded, the block will be lifted automatically by waiting until the next hour or calendar day.
2.3.1. How Do I See My Current Usage?
Your can check your current rate limit and usage details by inspecting the X-RateLimit-Limit and X-RateLimit-Remaining HTTP headers that are returned on every API response. For example, if an API has the default hourly limit of 1,000 request, after making 2 requests, you will receive these HTTP headers in the response of the second request:
X-RateLimit-Limit: 1000 X-RateLimit-Remaining: 998
2.3.2. Understanding Rate Limit Time Periods
Hourly Limit
The hourly counters for your API key reset on a rolling basis. Example:
-
If you made 500 requests at 10:15AM and 500 requests at 10:25AM, your API key would become temporarily blocked.
-
This temporary block of your API key would cease at 11:15AM, at which point you could make 500 requests.
-
At 11:25AM, you could then make another 500 requests.
2.3.3. Rate Limit Error Response
If your API key exceeds the rate limits, you will receive a response with an HTTP status code of 429 (Too Many Requests).
2.3.4. Need Higher Limits?
If you’re building an application that needs higher rate limits, we’d be happy to work with you. Contact us for more details.
2.3.5. Errors at gateway’s level
Certain, general errors will be returned in a standardized way from all web services. Additional, service-specific error messages may also be returned (see individual service documentation for those details). The following list describes the general errors any application may return:
| Error Code | HTTP Status Code | Description |
|---|---|---|
API_KEY_MISSING |
403 |
An API key was not supplied. Read API key usage for details on how to pass your API key to the API. |
API_KEY_INVALID |
403 |
An invalid API key was supplied. Double check that the API key being passed in is valid, or sign up for an API key. |
API_KEY_DISABLED |
403 |
The API key supplied has been disabled by an administrator. Please contact us for assistance. |
API_KEY_UNAUTHORIZED |
403 |
The API key supplied is not authorized to access the given service. Please contact us for assistance. |
API_KEY_UNVERIFIED |
403 |
The API key supplied has not been verified yet. Please check your e-mail to verify the API key. Please contact us for assistance if needed. |
HTTPS_REQUIRED |
400 |
Requests to this API must be made over HTTPS. Ensure that the URL being used is over HTTPS. |
OVER_RATE_LIMIT |
429 |
The API key has exceeded the rate limits. Read rate limits for more details or contact us for assistance. |
NOT_FOUND |
404 |
An API could not be found at the given URL. Check your URL. |
Error Response Body
The error response body will contain an error code value from the table above and a brief description of the error. The descriptions are subject to change, so it’s suggested that any error handling must use the HTTP status code or the error code value for error handling (and not the content of the message description).
Error Message Response Formats
Depending on the detected format of the request, the error message response may be returned in JSON, XML, CSV, or HTML. Requests of an unknown format will return errors in JSON format.
JSON Example
{
"error": {
"code": "API_KEY_MISSING",
"message": "No api_key was supplied. Get one at https://gateway.europisti.gr"
}
}XML Example
<response>
<error>
<code>API_KEY_MISSING</code>
<message>No api_key was supplied. Get one at https://gateway.europisti.gr</message>
</error>
</response>CSV Example
Error Code,Error Message
API_KEY_MISSING,No api_key was supplied. Get one at https://gateway.europisti.grHTML Example
<html>
<body>
<h1>API_KEY_MISSING</h1>
<p>No api_key was supplied. Get one at https://gateway.europisti.gr</p>
</body>
</html>2.4. Dev vs Prod
In order to access a developer’s sandbox for developing and testing reasons, it is enough just to add the word dev in the path after the server name and before the actual api’s path, for example:
Production URI https://gateway.europisti.gr/parameters-api
Sandbox URI https://gateway.europisti.gr/dev/parameters-apiOf course it is necessary for your API key to be accepted and given access to both environments by the authorization procedures that are established with your registration.
By having a valid and authorized X-api-key, any call can pass gateway’s checks and access any internal APIs that was given access to it. One such API is the parameters-api.
3. PARAMETERS-API intro
The parameters-api is accessible via https://gateway.europisti.gr/dev/parameters-api. In order to use this API, you must pass:
-
Your API key via one of the supported methods, preferably as header parameter
-
AND an authorization token via the Authorization header.
To make requests to the API two headers are required:
X-Api-Key: YOUR_API_KEY_HERE
Authorization: Bearer CLIENT_BEARER_TOKEN_HEREWithout these two headers all calls to parameters-api will be rejected with the response 401-Unauthorized
3.1. Authorization
3.1.1. Getting authorization tokens
An Authorization client bearer token is thus required, and the way to get it is via a POST request to https://gateway.europisti.gr/dev/parameters-api/tokens which requires only the api-key header as prerequisite and a JSON encoded payload of the user-key.
As an example from command line use:
curl -i \
-H 'Content-type: application/json' \
-H 'X-Api-Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
-X POST https://gateway.europisti.gr/dev/auth-api/resources/tokens \
-d '{"user-key": "vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv"}'With a correct and existing api-key and user-key which have been connected by the client internally, the response will be a 201 Created, and as the body the token and an Authorization header containing a token of type Bearer will be returned.
This token-in-body or token-in-header must be saved on the client side and must be used in all subsequent calls to every other parameters-api. The only exception to this rule, of course, is the current https://gateway.europisti.gr/dev/auth-api/resources/tokens for creating new tokens.
A convenience header X-Token-Expires-In: xxxx seconds is returned by default. It is the time remaining in seconds for which the token will be valid. With this header it is possible to calculate beforehand when a token renewal call will be needed.
By default the token is valid for 30 minutes after which the server will reject subsequent calls with the response 401 Unauthorized and an extra error header X-Error: Token Expired
|
If the client receives this error he can request a new token which will be valid for 30 more minutes.
|
No extra header
If the client gets response 401 Unauthorized without the extra header, then that means the authentication failed on the server side due to either wrong keys or because the client of the user-key refuses access to the X-Api-Key holder. In such case it is advised to first get in contact with your client (of user-key) to remedy the situation.
|
User impersonating another user
Sometimes a user needs to impersonate another user. For example a secretary might need access to various services in the name of an agent that gave her such rights. If the user has the right to use another person’s code (as dictated by company’s internal rules), you can grand them permission by appending a field named “agent-code” with the impersonated agent’s code as value. As an example:
curl -i \
-H 'Content-type: application/json' \
-H 'X-Api-Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
-X POST "https://gateway.europisti.gr/dev/auth-api/resources/tokens" \
-d '{"user-key": "vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv", “agent-code”: “SSSS”}'|
string ISO date
When the specification of a date named field is “string ISO date”, it is expected to be supplied with a date in ISO 8601 format like “2018-10-28” or a datetime like “2018-10-28T13:55:00”. |
The date fields are expected to be in the Greek time zone and the conversions are handled by the api. When a datetime field is returned and it doesn’t end with a 'Z' (which denotes a UTC date) then it is supposed to be a Greek LocalDate value.
3.2. Errors
When the parameters-api encounters an error condition outside the normal flow, it tries to return that error condition with a specific header named X-Error. So when it encounters incomplete or bad requests, incoming data validation errors or specific internal error conditions, it sets the error header informing the client application with a more specific message.
You will use this information for correcting the condition and maybe retrying the operation. For example when the authentication token expires, the client application receives a 401 Unauthorized status with the specific header X-Error: Token Expired signalling that a new token must be obtained first from the “tokens” resource and then the operation can be retried.
3.2.1. Other headers
| When an operation returns with a failure status, it is possible that a header named X-Error is returned and usually an error entity with error details for both. |
For operations like POSTing new entities and for the success status 201 Created, a Location header is set, according to standards with the uri of the new entity.
Some operations return extra information or actions in the Link headers. For example when issuing an application a link for the notification document is included. The operations that return this kind of information are documented.
For reference purposes, click this link to find out more about known response status codes.
3.3. CORS
The parameters-api supports CORS and set required headers.
4. Common Parameters
The following API endpoints can be used to programmatically retrieve common parameters
All of entity properties that are supposed to be used as input fields, have a method in parameters resource that returns the acceptable values usually with descriptions. All of the methods support a GET request.
Available calls are:
| Method | Description |
|---|---|
…/prefectures |
List of prefectures |
…/subagents |
If applicable, the subagent code |
…/genders |
Genders |
…/personTypes |
Type of person (individual, company etc.) |
…/jobs |
Type of job |
…/banks |
The bank, in cases such as mortgage loans |
…/doy |
The Tax offices |
…/nationalities |
The nationality of the person involved |
…/contactways |
List of the preferred contact ways |
…/marketing/consents |
It includes the consent the customer gives in regards to marketing communication |
Calls that return static data are: prefectures, subagents, genders, personTypes, jobs, banks, doy, nationalities, contactways, and consents
4.1. Prefectures
List of prefectures
Resource Information
Response formats |
JSON |
Requires authentication? |
Yes (user context) |
Rate limited? |
Yes |
Parameters
| Name | Optional | Comments |
|---|---|---|
prefectureCode |
YES |
| Name | Optional | Comments |
|---|---|---|
post_code |
YES |
Example Request
curl -H 'X-Api-Key: your_api_key' \
-H 'Authorization: Bearer user_token' \
"https://gateway.europisti.gr/dev/parameters-api/prefectures/prefectureCode=1101"4.2. SubAgents
If applicable, the subagent code
Resource URL
Response formats |
JSON |
Requires authentication? |
Yes (user context) |
Rate limited? |
Yes |
Parameters
| Name | Optional | Comments |
|---|---|---|
subagentCode |
YES |
| Name | Optional | Comments |
|---|---|---|
status |
YES |
0 = Προς Έγκριση, 1 = Εγκεκριμένος, 2 = Απόρριψη, 3 = Διαγραφή |
Example Request
curl -H 'X-Api-Key: your_api_key' \
-H 'Authorization: Bearer user_token' \
"https://gateway.europisti.gr/dev/parameters-api/subagents/subagentCode=1234"4.3. Genders
Genders
4.3.2. Resource Information
Response formats |
JSON |
Requires authentication? |
Yes (user context) |
Rate limited? |
Yes |
Example Request
curl -H 'X-Api-Key: your_api_key' \
-H 'Authorization: Bearer user_token' \
"https://gateway.europisti.gr/dev/parameters-api/genders"4.4. Person Types
Type of person (individual, company etc.)
Resource Information
Response formats |
JSON |
Requires authentication? |
Yes (user context) |
Rate limited? |
Yes |
Example Request
curl -H 'X-Api-Key: your_api_key' \
-H 'Authorization: Bearer user_token' \
"https://gateway.europisti.gr/dev/parameters-api/personTypes"4.5. Jobs
Type of job
Resource Information
Response formats |
JSON |
Requires authentication? |
Yes (user context) |
Rate limited? |
Yes |
Parameters
| Name | Optional | Comments |
|---|---|---|
jobCode |
YES |
| Name | Optional | Comments |
|---|---|---|
basic_job |
YES |
0 = Προς Έγκριση, 1 = Εγκεκριμένος, 2 = Απόρριψη, 3 = Διαγραφή |
Example Request
curl -H 'X-Api-Key: your_api_key' \
-H 'Authorization: Bearer user_token' \
"https://gateway.europisti.gr/dev/parameters-api/jobs/jobCode=666"4.6. Banks
The bank, in cases such as mortgage loans
Resource Information
Response formats |
JSON |
Requires authentication? |
Yes (user context) |
Rate limited? |
Yes |
Parameters
| Name | Optional | Comments |
|---|---|---|
bankCode |
YES |
| Name | Optional | Comments |
|---|---|---|
type |
YES |
0 = Bank, 1 = Leasing |
Example Request
curl -H 'X-Api-Key: your_api_key' \
-H 'Authorization: Bearer user_token' \
"https://gateway.europisti.gr/dev/parameters-api/banks/bankCode=01"4.7. Doy
Tax offices
Resource Information
Response formats |
JSON |
Requires authentication? |
Yes (user context) |
Rate limited? |
Yes |
Parameters
| Name | Optional | Comments |
|---|---|---|
doyCode |
YES |
Example Request
curl -H 'X-Api-Key: your_api_key' \
-H 'Authorization: Bearer user_token' \
"https://gateway.europisti.gr/dev/parameters-api/doy/doyCode=101"4.8. Nationalities
The nationality of the person involved
Resource Information
Response formats |
JSON |
Requires authentication? |
Yes (user context) |
Rate limited? |
Yes |
Parameters
| Name | Optional | Comments |
|---|---|---|
nationalityCode |
YES |
Example Request
curl -H 'X-Api-Key: your_api_key' \
-H 'Authorization: Bearer user_token' \
"https://gateway.europisti.gr/dev/parameters-api/nationalities/nationalityCode=GR"4.9. Contact ways
List of the preferred contact ways
Resource Information
Response formats |
JSON |
Requires authentication? |
Yes (user context) |
Rate limited? |
Yes |
Example Request
curl -H 'X-Api-Key: your_api_key' \
-H 'Authorization: Bearer user_token' \
"https://gateway.europisti.gr/dev/parameters-api/contactways"4.10. Consents
It includes the consent the customer gives in regards to marketing communication
Resource Information
Response formats |
JSON |
Requires authentication? |
Yes (user context) |
Rate limited? |
Yes |
Example Request
curl -H 'X-Api-Key: your_api_key' \
-H 'Authorization: Bearer user_token' \
"https://gateway.europisti.gr/dev/parameters-api/marketing/consents"5. Collection
The following API endpoints can be used to issue by charging user, to notify payment and/or to retrieve receipts.
Available actions are:
Issue a policy by charging a user’s account
Creation and notification of a payment code
Retrieve the available receipts of a specific policy or the covers that are included in a specific receipt
5.1. Issue by charging user
If the user wants and is able to proceed by charging his account, a PUT with an empty resource is needed on entity URL in order to issue the application immediately. On success the api will respond with a 205 Reset status, a Link header for policy document retrieval and an entity with the same info.
Resource Information
Response formats |
JSON |
Requires authentication? |
Yes (user context) |
Rate limited? |
Yes |
Example Request
curl -H 'X-Api-Key: your_api_key' \
-H 'Authorization: Bearer user_token' \
-H 'Content-type: application/json' \
-X PUT "https://gateway.europisti.gr/dev/collection-api/applications/123456789/charge"5.2. Payment Notification
A payment code will be created for an application that is in the specific status of prepay. It means that only entites in this status will be able to produce a payment notification document (available via link). If the entity is already issued then only other type of documents can be returned.
This payment code can be produced as many times as the user wants and it is always created with the last entity status and data.
Resource Information
Response formats |
binary |
Requires authentication? |
Yes (user context) |
Rate limited? |
Yes |
Example Request
curl -H 'X-Api-Key: your_api_key' \
-H 'Authorization: Bearer user_token' \
-X GET "https://gateway.europisti.gr/dev/collection-api/applications/123456789/payment_code"5.3. Receipts
Retrieve the available receipts of a specific policy or the covers that are included in a specific receipt.
Resource Information
Response formats |
JSON |
Requires authentication? |
Yes (user context) |
Rate limited? |
Yes |
Parameters
| Name | Optional | Comments |
|---|---|---|
id |
NO |
Application id |
receipt_no |
YES |
Receipt number |
Example Request
curl -H 'X-Api-Key: your_api_key' \
-H 'Authorization: Bearer user_token' \
"https://gateway.europisti.gr/dev/common-api/policy/applications/123456789/receipts/987654321"