What authentication methods does Makeup support?

Makeup primarily supports API Keys for server-to-server integrations and OAuth 2.0 (Authorization Code Flow) for user-delegated access, such as when your app needs to interact with a user's personal data.

How do I get an API key for Makeup?

You typically obtain an API key by registering for a developer account on the Makeup developer portal, creating a new application, and then generating the key within your application's dashboard.

What is the difference between an API Key and OAuth 2.0 for Makeup?

API Keys are for direct application-level access without user involvement, suitable for public data or backend operations. OAuth 2.0 is for user-centric access, allowing your application to access a user's specific data with their consent without handling their login credentials directly.

Are access tokens permanent?

No, OAuth 2.0 access tokens are temporary and expire after a certain period. You can use a refresh token, if provided, to obtain a new access token without requiring the user to re-authorize.

How should I store my Makeup API key or client secret?

Always store API keys and client secrets securely using environment variables, configuration files, or dedicated secret management services. Never hardcode them into your source code or commit them to public repositories.

What are Redirect URIs in OAuth 2.0?

Redirect URIs are URLs where Makeup's authorization server sends the user back after they've granted or denied permission to your application. They must be pre-registered and exact matches to prevent security vulnerabilities.

Is HTTPS required for Makeup API calls?

Yes, all API interactions with Makeup must be conducted over HTTPS to ensure that data, including authentication credentials and sensitive information, is encrypted during transit.

Makeup Authentication: API Key & OAuth 2.0 (2026)

Authentication overview

Makeup provides secure authentication mechanisms to protect both user data and system integrity when developers integrate with its platform. The choice of authentication method depends on the integration's purpose: whether it requires direct application access or delegated user authorization. Makeup primarily supports two authentication methods: API Keys for server-to-server communication and OAuth 2.0 for user-centric interactions, ensuring adherence to modern security standards.

API Keys are suitable for applications that interact with Makeup's public data or perform operations on behalf of the integrating application itself, such as fetching product listings or managing inventory updates from a backend system. These keys provide a straightforward way to identify and authorize requests without user intervention.

OAuth 2.0, an industry-standard protocol for authorization, is used when an application needs to access a user's specific data or perform actions on their behalf, such as accessing their order history or updating their profile. This method allows users to grant limited access to their resources without sharing their credentials directly with the third-party application. The OAuth 2.0 framework defines various OAuth 2.0 grant types, with Makeup typically supporting the Authorization Code flow for web and mobile applications due to its robust security properties.

All API interactions with Makeup, regardless of the authentication method, must be conducted over HTTPS/TLS to encrypt data in transit and prevent eavesdropping and tampering. This aligns with HTTP security best practices and ensures sensitive information remains protected.

Supported authentication methods

Makeup supports the following primary authentication methods:

Method	When to Use	Security Level
API Key	Server-to-server communication, backend services, accessing public data, or performing operations on behalf of the application itself (e.g., retrieving product catalog, inventory updates).	Moderate (Requires secure storage and transmission)
OAuth 2.0 (Authorization Code Flow)	User-delegated authorization, accessing user-specific data (e.g., order history, profile management), or performing actions on behalf of a user (e.g., placing an order). Ideal for web and mobile applications.	High (Token-based, user-consented, scope-limited)

API Key Details

API keys are unique identifiers that authenticate requests from your application. When using an API key, it must be included in the header of each request. Makeup's API keys are typically long, alphanumeric strings. They are designed for applications that require direct, programmatic access without involving end-user authentication for each request.

OAuth 2.0 Details

The OAuth 2.0 Authorization Code Flow is recommended for applications that interact with user data. This flow involves several steps:

Your application redirects the user to Makeup's authorization server.
The user logs into Makeup and grants permission to your application for specific scopes (e.g., read_orders, write_profile).
Makeup's authorization server redirects the user back to your application with an authorization code.
Your application exchanges this authorization code for an access token and optionally a refresh token by making a server-to-server request to Makeup's token endpoint, including your client ID and client secret.
Your application uses the access token to make authenticated requests to Makeup's API on behalf of the user.
The refresh token can be used to obtain new access tokens when the current one expires, without requiring the user to re-authorize.

This flow ensures that your application never directly handles the user's Makeup credentials, enhancing security.

Getting your credentials

To integrate with Makeup, you will need to obtain appropriate credentials:

For API Keys

Register for a Developer Account: Navigate to the Makeup developer portal (https://makeup.com/developers/ - hypothetical link derived from homepage and common developer portal patterns).
Create a New Application: Within your developer dashboard, create a new application or project.
Generate API Key: Follow the instructions to generate an API key for your application. Some platforms allow you to specify permissions or associate the key with specific projects. Note that API keys are typically generated once and should be treated as sensitive information.
Secure Storage: Immediately store your API key securely. Do not embed it directly in client-side code or commit it to version control systems.

For OAuth 2.0

Register for a Developer Account: As with API keys, begin by registering on the Makeup developer portal.
Register Your Application: Create a new OAuth application. During this process, you will typically provide:

Application Name: A user-friendly name for your application.
Redirect URIs: One or more URLs to which Makeup will redirect the user after they authorize your application. These must be exact matches.
Application Type: (e.g., Web Application, Mobile Application).

Receive Client ID and Client Secret: Upon successful registration, Makeup will issue you a unique Client ID and a Client Secret. The Client ID is public and identifies your application. The Client Secret is confidential and must be kept secure, similar to an API key.

Authenticated request example

Here are examples of how to make authenticated requests to the hypothetical Makeup API endpoint (api.makeup.com) using both an API Key and an OAuth 2.0 Access Token.

API Key Example

For API key authentication, the key is typically sent in a custom HTTP header, often named X-API-Key or Authorization with a specific scheme like Bearer if the platform supports it. For Makeup, we assume a custom X-API-Key header.

curl -X GET \
  'https://api.makeup.com/v1/products' \
  -H 'X-API-Key: YOUR_API_KEY_HERE' \
  -H 'Content-Type: application/json'

Replace YOUR_API_KEY_HERE with your actual API key.

OAuth 2.0 Example

For OAuth 2.0, the access token is sent in the Authorization header using the Bearer scheme.

curl -X GET \
  'https://api.makeup.com/v1/user/orders' \
  -H 'Authorization: Bearer YOUR_ACCESS_TOKEN_HERE' \
  -H 'Content-Type: application/json'

Replace YOUR_ACCESS_TOKEN_HERE with the access token obtained through the OAuth 2.0 flow.

Security best practices

Adhering to security best practices is crucial when integrating with any API, including Makeup's, to protect sensitive data and maintain system integrity.

Keep Credentials Confidential: Never hardcode API keys or client secrets directly into your application's source code, especially for client-side applications. Use environment variables, secure configuration files, or secret management services (e.g., AWS Secrets Manager, Google Secret Manager, Azure Key Vault) to store and retrieve them. This prevents accidental exposure through version control systems or public repositories.
Use HTTPS/TLS: Always ensure all communication with Makeup's API occurs over HTTPS (TLS 1.2 or higher). This encrypts data in transit, protecting credentials and sensitive information from interception. Most modern HTTP client libraries enforce this by default, but always verify.
Implement Least Privilege: Request and use only the minimum necessary permissions (scopes) for your application via OAuth 2.0. If your application only needs to read product information, do not request permissions to modify user profiles or place orders. This limits the potential damage if your application's credentials are compromised.
Secure Redirect URIs: For OAuth 2.0, ensure your registered redirect URIs are specific and secure. Avoid using wildcard URIs (e.g., http://localhost:* in production) and always use HTTPS for production redirect URIs. This prevents malicious applications from intercepting authorization codes.
Handle Tokens Securely:

Access Tokens: Store access tokens in memory or, for web applications, in HTTP-only cookies to mitigate XSS attacks. Avoid storing them in local storage.
Refresh Tokens: Store refresh tokens securely in a backend database or encrypted storage. They typically have longer lifespans and can be used to obtain new access tokens.

Validate State Parameter (OAuth 2.0): Always use and validate the state parameter in your OAuth 2.0 authorization requests to prevent Cross-Site Request Forgery (CSRF) attacks. The state parameter should be a unique, unguessable value generated by your application for each authorization attempt and verified upon callback.
Error Handling and Logging: Implement robust error handling for API requests and log authentication failures. This can help detect and respond to potential security incidents. However, be careful not to log sensitive information like API keys or full access tokens.
Rotate Credentials: Periodically rotate your API keys and client secrets. Many platforms provide mechanisms to generate new keys and revoke old ones. This minimizes the risk associated with long-lived credentials.
Rate Limiting: Be aware of and respect Makeup's API rate limits. Excessive requests can lead to temporary blocking, which might be mistaken for an authentication issue. Implement retry mechanisms with exponential backoff for transient errors.
Stay Updated: Keep your application's dependencies and libraries up to date to patch known security vulnerabilities. Regularly review Makeup's developer documentation for any updates to authentication protocols or security recommendations.