Skip to main content

Authenticate using API

If implementing OpenID Connect or JWTs is impossible, for instance if you use a common CMS or a website builder, you can use an API integration. Only do this if you cannot integrate another option and also cannot reasonably approve requests manually, or if we have recommended you use this option.

tip

For sports associations using Conscribo through ESSF, this might still be your best option. Conscribo API integrations can be configured to provide more privacy.

Downsides

With OIDC or JWTs, the user provides credentials on your domain. We can never obtain these credentials and/or impersonate the user. This ensures optimal privacy for your members.

If you use an API integration, we shows a login form for your members on the login.starcommunity.app domain and checks these credentials against an API for your website/member database. This means that the credentials are processed by our servers. We only process these credentials in transit (over TLS) and do not store them, but this still makes Hubble a data processor, as we have access to clear-text credentials.

Preferred: API with minimal rights

If possible, we recommend using an API system with minimal rights. An example of this is the Conscribo member administration system, which allows creation of accounts with rights to only certain fields.

If this is possible, please create an account for us with the rights to:

  • See any type of stable user identifier, this might be the member ID, internal database ID, UUID or any anonymised identifier, as long as it remains stable over the membership duration
  • See the full name (and given_name/first_name) of the user
  • See the email address of the user
  • See the membership type
  • See any field that you would like to use as password, or have access to an API endpoint to check passwords

This account should never have access to:

  • Banking details
  • Address information
  • Other personal details stored in your member administration

If you would like to use this option, please provide us with API documentation and a corresponding account to check if integrations is possible.

Otherwise: credential verification only

If there is no other option, we can integrate with an API with exclusive access to verify a username & password combination. In this case, the user will have to provide and verify their name & email themselves. We will also assume that access is only granted for current members. The Hubble board might decide to reject integration in this case, or to lower the 6 month verification term for your association.