Authentication overview

Lanyard's API provides programmatic access to event management features, including registration, attendee data, and ticketing. Secure access to these resources is managed through authentication, ensuring that only authorized applications and users can interact with the API. Lanyard offers two primary authentication mechanisms: API Keys for server-to-server communication and OAuth 2.0 for applications requiring delegated access on behalf of users.

All API requests to Lanyard must be made over HTTPS to encrypt data in transit and protect credentials from interception. Requests made without valid authentication or over insecure channels will be rejected by the API. Understanding the appropriate authentication method for your integration is crucial for maintaining data integrity and security.

Supported authentication methods

Lanyard supports two distinct authentication methods, each designed for specific integration scenarios:

  • API Key Authentication: This method is suitable for server-side applications that need direct access to Lanyard's API. An API key is a unique, secret token that identifies your application. It grants broad access to your Lanyard account's resources, meaning it should be handled with extreme care and never exposed in client-side code or public repositories.
  • OAuth 2.0: OAuth 2.0 is an authorization framework that allows third-party applications to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. Lanyard uses OAuth 2.0 for integrations where an application needs to access a user's Lanyard data with their explicit permission, without ever handling the user's Lanyard password. This is ideal for public client applications, mobile apps, or web applications that integrate with Lanyard on behalf of multiple users. The OAuth 2.0 framework defines several grant types, such as the authorization code grant, which is commonly used for web server applications to securely obtain access tokens after a user authorizes the application. For more details on the OAuth 2.0 specification, refer to the OAuth 2.0 Authorization Framework.

The choice between API Key and OAuth 2.0 depends on your application's architecture and security requirements. Server-side applications managing their own data often use API keys, while applications interacting with other users' Lanyard data typically use OAuth 2.0.

Method When to Use Security Level
API Key Server-side applications, backend services, scripts, internal tools. High (if kept secret); direct access to account resources.
OAuth 2.0 Third-party applications, mobile apps, web apps requiring delegated user access. High (token-based, scoped access); user consent required.

Getting your credentials

To interact with the Lanyard API, you must first obtain the necessary authentication credentials from your Lanyard developer dashboard. The process varies slightly depending on whether you require an API key or are setting up an OAuth 2.0 integration.

API Key setup

  1. Log in to Lanyard: Access your Lanyard account at Lanyard's homepage.
  2. Navigate to Developer Settings: Once logged in, go to the 'Developer Settings' or 'API Keys' section within your dashboard. This is usually found under account settings or a dedicated developer menu.
  3. Generate an API Key: Look for an option to 'Generate New API Key' or 'Create Key'. Lanyard may prompt you to name your key for organizational purposes.
  4. Record Your Key: Immediately after generation, your API key will be displayed. It is crucial to copy and store this key securely, as it typically will not be shown again for security reasons. If lost, you will need to generate a new one.

OAuth 2.0 client setup

  1. Log in to Lanyard: Access your Lanyard account.
  2. Navigate to OAuth Applications: Go to the 'Developer Settings' and find the 'OAuth Applications' or 'Client Applications' section.
  3. Register a New Application: Click on 'Register New Application' or 'Create Client ID'. You will need to provide details such as:
    • Application Name: A user-friendly name for your application.
    • Redirect URIs: The exact URI(s) to which Lanyard will redirect the user after they authorize your application. These must be registered for security reasons to prevent phishing attacks.
    • Application Website (optional): Your application's homepage.
    • Application Logo (optional): A logo to display during the authorization flow.
  4. Obtain Client ID and Client Secret: Upon registration, Lanyard will provide you with a 'Client ID' and a 'Client Secret'. The Client ID is public, but the Client Secret must be kept confidential, similar to an API key.
  5. Configure Scopes: Define the necessary permissions (scopes) your application requires, such as read:events or write:attendees. These scopes limit what your application can do with a user's data, enhancing security and user trust.

For detailed, step-by-step instructions on obtaining credentials, refer to the Lanyard API documentation.

Authenticated request example

Once you have your credentials, you can make authenticated requests to the Lanyard API. Both API Key and OAuth 2.0 typically involve sending a token in the Authorization header of your HTTP requests.

API Key example (Node.js)

For API key authentication, include your API key in the Authorization header with the prefix Bearer.

const axios = require('axios');

const LANYARD_API_KEY = 'YOUR_LANYARD_API_KEY'; // Replace with your actual API key
const EVENT_ID = 'evt_example123'; // Replace with an actual event ID

async function getEventDetails() {
  try {
    const response = await axios.get(`https://api.lanyard.com/v1/events/${EVENT_ID}`, {
      headers: {
        'Authorization': `Bearer ${LANYARD_API_KEY}`,
        'Content-Type': 'application/json'
      }
    });
    console.log('Event Details:', response.data);
  } catch (error) {
    console.error('Error fetching event details:', error.response ? error.response.data : error.message);
  }
}

getEventDetails();

OAuth 2.0 example (Python)

For OAuth 2.0, after completing the authorization flow and obtaining an access token, include it in the Authorization header, also with the Bearer prefix.

import requests

ACCESS_TOKEN = 'YOUR_OAUTH_ACCESS_TOKEN' # Replace with your obtained OAuth access token
EVENT_ID = 'evt_example123' # Replace with an actual event ID

def get_event_details_oauth():
    headers = {
        'Authorization': f'Bearer {ACCESS_TOKEN}',
        'Content-Type': 'application/json'
    }
    response = requests.get(f'https://api.lanyard.com/v1/events/{EVENT_ID}', headers=headers)

    if response.status_code == 200:
        print('Event Details:', response.json())
    else:
        print('Error fetching event details:', response.status_code, response.text)

get_event_details_oauth()

These examples demonstrate the fundamental structure for making authenticated API calls. The Lanyard API reference provides detailed information on available endpoints and expected request/response formats for specific operations, which can be found in the Lanyard API Reference.

Security best practices

Securing your Lanyard API integration is critical to protect sensitive event and attendee data. Adhering to security best practices helps prevent unauthorized access and data breaches.

  • Keep API Keys and Client Secrets Confidential: Never hardcode API keys or OAuth client secrets directly into your client-side code, public repositories, or commit them to version control systems like Git without proper encryption and exclusion. Store them in environment variables or a secure secret management service.
  • Use HTTPS/TLS for All Communication: All interactions with the Lanyard API must use HTTPS. This encrypts data in transit, protecting credentials and sensitive information from eavesdropping. Lanyard's API enforces HTTPS, rejecting insecure HTTP requests. This aligns with general web security recommendations from organizations like the W3C Web Security Working Group.
  • Implement Least Privilege: Grant your API keys or OAuth applications only the minimum necessary permissions (scopes) required for their intended function. If an application only needs to read event data, do not grant it write access to attendee information. Regularly review and adjust permissions as your application's needs evolve.
  • Rotate API Keys/Client Secrets Regularly: Periodically generate new API keys and client secrets, and revoke old ones. This practice reduces the window of exposure if a credential is ever compromised.
  • Secure OAuth Redirect URIs: For OAuth 2.0 applications, ensure that your registered redirect URIs are precise and secure. Only use HTTPS URLs, and avoid using broad wildcards unless absolutely necessary and with careful consideration of the risks.
  • Validate and Sanitize All Input: Any data sent to the Lanyard API should be validated and sanitized on your server to prevent injection attacks or malformed data issues.
  • Monitor API Usage and Logs: Regularly review your application's API usage logs for any unusual activity or failed authentication attempts, which could indicate a security incident.
  • Error Handling: Implement robust error handling for API responses, especially for authentication failures. Avoid exposing verbose error messages that might leak sensitive information to end-users.
  • Use Official SDKs: When available, use Lanyard's official SDKs (Node.js, Python, Ruby) as they are designed to handle authentication and API interactions securely and correctly.