Prisjakt Reviews API

This API allows you view and reply to shop reviews.

Getting started

This guide will help you get set up to use our API. The base address of the Reviews API is https://api.schibsted.com/prisjakt/reviews. The first step is to set up client credentials and make an authentication request. Then you can fetch shop reviews.

Authentication

All requests to the API require authentication. To prove that the user has been granted permission, the request header sent by the application must include a valid access token. As the first step towards authentication, you will need to register your application. This will give you a unique client ID and client secret.

To authenticate set the grant type (grant_type) to client_credentials, and set your client ID (client_id) and client secret (client_secret).

curl --request POST \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=client_credentials \
  --data client_id=<replace with client ID> \
  --data client_secret=<replace with client secret> \
   https://pre-api.schibsted.com/prisjakt/reviews/token

{
    "access_token": "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCIsImtpZCI6ImM1U09QVmQyS0h6VW9mVFg2L3d6ekJYWkVqaz0ifQ.eyJpc3MiOiJodHRwczovL2FwaS1zdGFnZS5zY2hpYnN0ZWQuY29tL3ByaXNqYWt0L2F1dGgiLCJzY29wZSI6InJvbGU6c2VydmljZSIsInN1YiI6IjhkYjFjMzA4MzUzYjQ0ZTY5MTE1ODFjZDZmMGRiM2JkIiwiaWF0IjoxNjIzMDQ1ODE2LCJleHAiOjE2MjMwNDY0MTZ9.RQWSrWE0uIeiKdW11Hho0yLJBM6LVJSXxIJCvy8-CNmJ4xoncAcaizqKIpN-mIL1AYQXFFDLrB_y0iZOoHBKnwjUVRt14OUhUjVuV57ntIFMAy5Xljiv5KGWkP5w0ZDuTcs72AEGd4q1BXwrEKyoT-q_F1GYkUB28E1f0LegOLH84p0VeaJ-CHbduHWXoC4J_j1yi7G1dDJu7U2rWNG7mT876b7n5S6QuV2pC3XJqzMoX2o10Kt3Zbpl9Pk1CDxDDjApntfnjeQjmwAcJAZ0MFxQWL8UHjFnzde0EI0RQWzGDFaMqC6lurEw6tuYDiJvPdSrjMcktSuF3p3g-Vs8eg",
    "expires_in": 600,
    "token_type": "Bearer"
}

Shop Reviews

Reviews are written by Prisjakt users. This API allows a user to fetch and reply on reviews for a shop they are authorized to manage.

Example requests

curl --location --request GET 'https://api.schibsted.com/prisjakt/reviews?shop_id=<replace with shop ID>&market=se \
--header 'client-id: <replace with client ID>' \
--header 'Authorization: Bearer <replace with access token>'

Rate Limiting

To make the API fast for everybody, rate limiting is applied to the Client ID.

Production: 10,000 requests in 1 hour

The returned HTTP headers of any API request show your current rate limit status:

HTTP status code 429 is used to indicate that the current rate limit has been exceeded.

Status: 429 Too Many Requests
X-RateLimit-Limit: 10000
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 600000

Webhooks

Webhooks are a way to receive real-time HTTP notifications when a review is created or updated. You can use webhooks to keep your system in sync with the Reviews API. The webhook payload is a JSON object that contains the review ID and the shop ID and market.

Structure of post message

{
  shopId: number;
  market: string;
  reviewId: string;
}

Along with the payload described above a signature is sent in a header called pj-message-signature. This signature can (and should) be used to verify the authenticity of the message.

Verifying the message signature

The signature is a hash-based message authentication code (HMAC) calculated using a shared secret, the post message, hashing with SHA-256 and finally returned in Base64-format.

Using JavaScript the signature in the request header can be verified like this:

const crypto = require('crypto');

const message = {
  market: 'se',
  shopId: 123,
  reviewId: 'abc123',
}

const signatureFromHeader = 'sxIOCSFe/Nm43uZUFWGlRUWeJyI2/iXsyeLRv6LLJBU=';

const sharedSecret = 'c29tZSBzaWduaW5nIGtleQ==';

const signature = crypto
  .createHmac('sha256', sharedSecret)
  .update(JSON.stringify(message))
  .digest('base64');

if (signature === signatureFromHeader) {
  console.log(`Signature was successfully verified.`);
};