About ACME APIs
ACME's powerful API layer allows our partners to access and expand the ACME Ticketing Platform in ways that work best for their venues and their customers. The ACME web, point-of-sale, and access control applications are built on the same REST-based APIs that we make available to our partners.
This document covers the basics of accessing and interacting with the ACME APIs and should be used as the basis for understanding how to integrate with our API layer.
TABLE OF CONTENTS
- About ACME APIs
- Authentication and Access Requirements
ACME APIs are REST-based on the HTTP transport layer with JSON as the primary request and response format. Access to the ACME APIs is only allowed via HTTPS using TLS 1.2+ encryption
Authentication and Access Requirements
API access is tied to an ACME user and permissions are controlled via Groups, Roles, and Permissions in Back Office. Before requesting access to the APIs, please have your local system administrator create and configure a user for you. Once a user has been configured, you can access the ACME APIs using a temporary session or by requesting an API key.
Sessions are temporary keys used to access the ACME APIs. Sessions are generally used for testing, one-time tasks, or to begin development while waiting on an API key to be assigned by ACME Product Support.
Note: Sessions should never be used to build production applications as they will expire and the application will no be able to access the ACME APIs.
Create a Session
Headers (Choose One Set)
"title": "Princess of Themyscira",
"companyName": "Golden Lasso Adventures"
The session ID returned in the session attribute can be passed into subsequent API calls using the x-acme-session header.
For most integration projects, you’ll likely want to have an API key assigned to a user. This key allows you to skip the step of creating a session and is passed into calls using the x-acme-api-key header.
WARNING: API keys should be kept secret just as you would a username and password. Anyone who has an API key will be able to access, via API, any area of the system for which the user has permission.
API keys can only be assigned to username-only users and we recommend creating a clearly-identifiable, integration-specific user for each integration. Examples would include:
Note: Only ACME Clients can request API Keys. System integrators and third-party vendors should reach out to their venue contact to have them request a key.
Please see the Requesting an API Key for the checklist of steps.
There are several standard headers used to connect to the ACME APIs. The table below outlines these headers, uses, and when they are required.
Standard user’s email address
Username-only user’s username
Tenant ID for a username-only user
Temporary session ID returned from the session call
ACME-assigned API key
Tenant ID - required for all unauthenticated B2C calls
User-generated UUID used in checkout calls to avoid duplicate transactions
ACME-assigned publishable API key used for CORS checkout only
Rate Limiting and Intrusion Prevention Systems
To help identify and prevent excessive or erroneous calls to the ACME APIs that could impact service, ACME may use rate limiting or intrusion prevention systems to monitor, throttle, or block suspicious API activity. These thresholds are configured as to minimize their impact on everyday API use.
An HTTP status code of 429 would indicate that the rate limit has been exceeded and you should try your request later.