Connecting to the Surpass API v2

Requests to the Surpass API must be authenticated. This is akin to logging in with user credentials. However, the user specified in the request must also have the Surpass permissions required to authorise the action taken.

This article explains how to connect to the Surpass API v2 and which permissions are required to successfully call each API.

In this section

Authentication

If you are logged in to and are using the Surpass API v2 test console to send requests to the Surpass API, a token is sent with each request to the Surpass API to authenticate the request.

To authenticate requests sent to Surpass APIs from a different HTTP client, send basic authentication details in an authorization header. This is documented in the parameters tables of the reference documentation as follows:

Name

Parameter

Input

Description

 authorization

header

MANDATORY

Basic {credentials}

Basic authentication details must be passed to authorise the user’s request, where {credentials} is a Base64 encoded username:password string.

Connection to the Surpass API can also be authenticated using SAML if using Single Sign-On (SSO) to access Surpass. A SAML header parameter is passed in the request, with its value generated using the credentials specified in the SSO setup. For more information on SSO, read Single Sign-On.

TIP: We recommend creating a dedicated integration user that can be used when calling the Surpass API. This is a good idea even if you are only testing the API as it enables you to work in the Surpass UI and API simultaneously without being logged out of the UI after each request to the API.
NOTE: If the request does not contain valid authentication details, a 401 error is returned.

Authorisation

For requests sent to Surpass APIs to be authorised, the user sending the request must have the requisite Surpass permission(s). Each part of the system has a unique permission, which acts as a key.

Users can also be assigned roles at subject, centre, and site-level. If the user making the request only has subject or centre-level access, then whatever it is they are requesting needs to be in the relevant subject and/or centre. For more information on roles and permissions in Surpass, read About roles and permissions.

NOTE: If the user sending a request does not have the requisite permissions, a 403 error is returned.

Requisite permissions

Expand the following section for tables detailing which permission is needed to successfully call each Surpass API.

Further reading

NOTE: This form is to provide feedback to help improve the Surpass Help documentation only. If you need live support, contact support@surpass.com.