Web API is a framework that makes it easy to build and expose API connections over HTTP(s). Web API is used when you build RESTful applications that is running in browser, or integration when server is communicating with other servers.

Simple web API example

using System.Web.Http;

public class SampleApiController : ApiController
    public IHttpActionResult GetSampleData()
        return Ok(new
            Data = new[]


When using web API it is important to ensure that only authorized calls can execute the endpoints that are created. Some endpoints can allow anonymous user access because they are used in the public web application. Other endpoints are secured and access is limited to specific groups of users.

Preferred is to use HTTPS for all web API calls to ensure that communication can’t be tampered.

When servers are communicating the JWT (JSON Web Token) authorization should be used to avoid sending username and password with each request. When the JWT expires, you need to request a new JWT with either the username and password or with a refresh token depending on application and setup.

To restrict a web API endpoint to only use JWT the class or method should be declared with the OnlyJwtAuthorizationAttribute.

public class SampleApiController : ApiController

Service Account

A service account is used to secure integrations where another system is connected directly to Litium.

When you create integrations to Litium you can let the consumer identify as a real user (person) in Litium or by using the service account. The benefit of using the service account over a real user account is that the service account is not allowed to login on the public site or into administration but can still have the same permissions as an administrator.

Service accounts are managed in the settings part of Litium’s administration. Each service account has a username and password that is used for identification.


OAuth2 authorization flow for client credentials is used to create the JWT. With this flow the username and password is sent to the server and a JSON answer is returned with the JWT as an access token and also information about when the token is expiring. The token can be reused for multiple request until the token expiration time occur.

The token endpoint that is used in a POST request to create the JWT is https://domain/litium/oauth/token and the needed payload is “grant_type=client_credentials&client_id=[service account id]&client_secret=[service account password]



POST /Litium/OAuth/token HTTP/1.1
Host: domain
Content-Type: application/x-www-form-urlencoded



    "access_token": "J4HlhawWVlIse-7-CwlqlFLVBtS1YBw01sXLzFuLehJt6JVWkJjQ236EbyRw7L5cSDC5opv9AmS7eu7fZRFUQ2Jy9
    "token_type": "bearer",
    "expires_in": 599

In subsequent calls to the server the access token is sent as an authorization header in the request, the authorization type should be Bearer.

Token usage example request

GET /api/example/productlist HTTP/1.1
Host: domain
Content-Type: application/json
Authorization: Bearer J4HlhawWVlIse-7-CwlqlFLVBtS1YBw01sXLzFuLehJt6JVWkJjQ236EbyRw7L5cSDC5opv9AmS7eu7fZRFUQ2Jy9