To ensure that all client and end-user data is kept private and secure, all API interactions require authentication of the client or application.

Any API request is validated with a unique set of credentials relevant to the application that handles the communication. Currently, Sizmek Ad Suite (SAS) supports a single, simple authentication method based on a manual pre-generated API username and password.

The API credentials are assigned to a specific API user, maintain a defined set of permissions, and uphold a defined request quota. For more information, see Quotas and Limitations on API Requests.


Important: You cannot exceed 10 simultaneous, active, API sessions with the same user credentials.

Authentication Flow

The current authentication flow follows these steps:

  1. Client is generated with a specific API username and password.

  2. Application that starts engaging the API uses the username and password to generate a SAS session token.

    • For the sandbox environment, the login URL is the following:
    • For the production environment, the login URL is:



Note: An API key is required for this API login URL, .

  1. Once a session token is generated, each API request includes the token and API key in the request headers in the Authorization field.

  2. When accessing the SAS REST API, the application uses the token and API key to authenticate each request.

  3. A session token is valid for three hours, regardless of the idle/active state of the session. Once the token expires, any requests receive the relevant error message; the user will need to refresh the token.

JavaScript Flow Example

  1. Authenticate with API assigned user and password, and API key. Then, call a specific API method:

        url: "",
        type: "POST",
        contentType: 'application/json',
            'Access-Control-Allow-Origin: *',
             data: '{username:"user", password: "password"}',
            'api-key': key,
        success: function(data) {
            var sessionId = data.result.sessionId;
  2. Implement the method adding the generated token and the API key in the "Authorization" header:

    function call_method_x(sessionId) {
            url: "",
            type: "GET",
            contentType: 'application/json',
            data: 'from=0&max=25',
            headers: {
                'Access-Control-Allow-Origin': '*',
                'Content-Type': 'application/x-www-form-urlencoded',
                'Authorization': sessionId
                'api-key': key,
     success: function (data) {

Credentials and Tokens

It is important to remember that the API credentials and generated token grant access to make requests and get access to the application data. Consider these values as sensitive as passwords; do not expose or share these values with non-trusted parties.

HTTPS Protocol

Authentication and all other requests are only secure if SSL is used. Therefore, all requests must use the HTTPS protocol.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request


Powered by Zendesk