API Authentication

How to authenticate with the Tee Time API.

Authentication Methods

Bearer Token

Primary authentication method for API access:

curl -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
  https://api.digiwedge.com/teetime/v1/courses

API Key

For server-to-server integrations:

curl -H "X-API-Key: YOUR_API_KEY" \
  https://api.digiwedge.com/teetime/v1/courses

Obtaining Tokens

User Access Tokens

For applications acting on behalf of users:

Redirect user to authorization endpoint
User grants permission
Receive authorization code
Exchange code for tokens

POST /oauth/token
{
  "grant_type": "authorization_code",
  "code": "AUTH_CODE",
  "client_id": "YOUR_CLIENT_ID",
  "client_secret": "YOUR_CLIENT_SECRET",
  "redirect_uri": "YOUR_REDIRECT_URI"
}

Response:

{
  "access_token": "eyJ...",
  "refresh_token": "eyJ...",
  "expires_in": 3600,
  "token_type": "Bearer"
}

Client Credentials

For server-to-server without user context:

POST /oauth/token
{
  "grant_type": "client_credentials",
  "client_id": "YOUR_CLIENT_ID",
  "client_secret": "YOUR_CLIENT_SECRET"
}

Token Refresh

Access tokens expire. Use refresh token to get new ones:

POST /oauth/token
{
  "grant_type": "refresh_token",
  "refresh_token": "YOUR_REFRESH_TOKEN",
  "client_id": "YOUR_CLIENT_ID"
}

API Keys

For backend integrations without user login:

Requesting an API Key

Contact DigiWedge support
Describe your integration use case
Receive API key credentials

Using API Keys

# Header authentication
curl -H "X-API-Key: YOUR_API_KEY" \
  https://api.digiwedge.com/teetime/v1/courses

# Query parameter (not recommended)
curl "https://api.digiwedge.com/teetime/v1/courses?api_key=YOUR_API_KEY"

Scopes

Control access level with scopes:

Scope	Description
`read:courses`	View course information
`read:bookings`	View bookings
`write:bookings`	Create/modify bookings
`read:players`	View player data
`write:players`	Modify player data
`admin`	Full administrative access

Request scopes during authorization:

/oauth/authorize?scope=read:courses write:bookings

Error Handling

Authentication Errors

Code	Status	Meaning
`invalid_token`	401	Token expired or invalid
`insufficient_scope`	403	Missing required scope
`invalid_client`	401	Client credentials invalid
`rate_limit_exceeded`	429	Too many requests

Example Error Response

{
  "error": "invalid_token",
  "error_description": "Access token has expired"
}

Security Best Practices

Token Storage

Never store tokens in client-side JavaScript
Use secure HTTP-only cookies
Store in secure backend session

Token Transmission

Always use HTTPS
Never include tokens in URLs
Use Authorization header

Key Management

Rotate API keys periodically
Use different keys per environment
Revoke compromised keys immediately

Testing

Sandbox Environment

Test authentication without affecting production:

Sandbox Auth: https://auth.uat.digiwedge.com
Sandbox API:  https://api.uat.digiwedge.com

Test Credentials

Request sandbox credentials from support for development testing.

Authentication Methods​

Bearer Token​

API Key​

Obtaining Tokens​

User Access Tokens​

Client Credentials​

Token Refresh​

API Keys​

Requesting an API Key​

Using API Keys​

Scopes​

Error Handling​

Authentication Errors​

Example Error Response​

Security Best Practices​

Token Storage​

Token Transmission​

Key Management​

Testing​

Sandbox Environment​

Test Credentials​