Authentication
VizSeek uses bearer tokens for most API calls, but there are three different patterns you need to know:
| Pattern | Used by | How you send it |
|---|---|---|
| App bearer token | Login, registration, utility calls that do not need a signed-in user | Authorization: Bearer <access_token> |
| User bearer token | Search, file upload, RFQ, saved searches, company actions | Authorization: Bearer <access_token> |
| Search image token | /api/Image URLs returned from search results | token=<short_lived_token> in the query string |
Bearer header format
Section titled “Bearer header format”Authorization: Bearer YOUR_ACCESS_TOKENUse Content-Type: application/json for the legacy JSON-string body endpoints, application/x-www-form-urlencoded for /api/Token, and application/octet-stream for the raw binary upload endpoints.
Which endpoints need which token
Section titled “Which endpoints need which token”| Token requirement | Typical endpoints |
|---|---|
| No bearer token | POST /api/Token, GET /api/Version |
| App token is enough | GET /api/User, PUT /api/User, GET /api/ValidUploadFileTypes |
| User token required | Search, File, FileBinary, FileBinaryDirect, FileAttributes, RFQ, MonthlyUsage, CompanyLogo, SavedSearches, IsEmployee, PMIData |
Query token instead of bearer | GET /api/Image |
App token vs user token
Section titled “App token vs user token”Use an app token when the call only needs to know which API client is calling. Use a user token when the endpoint needs a company context, a user identity, or permission checks tied to a signed-in user.
In practice:
- Get an app token first so you can call
/api/User,/api/UserPUT, or/api/ValidUploadFileTypes. - Get a user token when you want to upload files, run searches, manage attributes, or use RFQ features.
Search image tokens
Section titled “Search image tokens”Search responses may return thumbnail or large-image URLs that look like this:
/api/Image?fid=<file_uid>&type=0&token=<short_lived_token>That token is created specifically for /api/Image. Do not replace it with your bearer token.
Route format
Section titled “Route format”Every documented controller supports both forms below:
/api/Search/Search
The examples in this docs set use /api/... because that is the most common integration style in existing customer code.
What to expect on auth errors
Section titled “What to expect on auth errors”- Missing or invalid bearer tokens usually return
401 Unauthorized. - Some endpoints do additional validation after auth succeeds and may return
400 Bad Requestinstead. /api/Imagereturns400if the query-stringtokenis missing or invalid.
Deployment security modes
Section titled “Deployment security modes”On-prem deployments can run in different security modes that change how the auth gate behaves:
- Minimal-security mode: the
[Authorize]gate is disabled and no bearer token is enforced. - Basic-security mode: the
passwordgrant authenticates only the configured global admin account.
Confirm your deployment’s security mode with VizSeek before assuming the token requirements above are enforced.
Next step
Section titled “Next step”Use the Token endpoint page for the exact grant types, request payloads, and refresh-token flow.