All API calls on the Toornament APIs require your application to be authenticated. When accessing private data, your application must also be authorized to access the data. For example, accessing public tournament information would not require authorization, but accessing the user's registrations would.

Access Types

All API endpoints must use either simple or authorized access type. Some API endpoints will only be available with an authorized access.

  • Simple Access
    Allows reading public data
    Requires authentication
  • Authorized Access
    Allows access to both public and private data
    Requires both authentication and authorization

1. Simple Access

The simple access allows your application to read public data without requiring a particular authorization. You cannot however write or update any information and private data cannot be accessed.

A simple access only requires your application to be authenticated. This is performed by using the API key that is provided in your application profile.

2. Authorized Access

The authorized access allows to read or modify user data, both private and public. You may still be limited to the operations allowed by the user's permissions.

An authorized access requires your application to be both authenticated and authorized. Such authorization is accomplished by using the OAuth 2 protocol.

Each API endpoint that requires an authorized access will also require a scope. In OAuth 2, a scope represents a set of permissions. When an application must access a particular resource, it must first obtain the authorization to access that resource with the appropriate permissions. For example, if the application wants to read private data, it should only request the authorization to read, not to write.