Authentication: Access Token

All calls to the Promo Only Online Web API require proper authentication. All users require permission to access data by passing a valid authentication token through the headers of their web requests. A step by step guide and several examples are provided below. A valid token can be requested at any time with valid API credentials. API credentials are tied to an individual user account. API credentials are made up of 4 components, a POOL User ID (Your POOL Account ID), an API Key (a random assortment of characters unique to your account), an API Secret (a different random assortment of characters unique to your account), and an access token (a key generated from your API Key and API Secret, that is only valid for 5 minutes). API credentials can be applied for here.

Token Specifications

Parameters: POST variables: Header variables:
  1. API Key (KEY): string
  2. API Secret (SECRET): string
Data Returned:

Access Work Flow

  1. Token acquisition followed by API call

    1. URL:
    2. Header: Authorization: Basic Base64(API_KEY:API_SECRET)
    3. Method: POST
    4. POST Variable: userid: POOL_UserID
    5. Returned: JSON

      Example JSON Output:

          "code": 504
          "expires": 1585080310
          "server_time": 1585079710
          "token": "8b26e1e4f3f5e00a888807e605565c47"
          "userid": 1


    1. PHP (using cURL):

          $api_key = "a8246dd6a835b1df4qwd8503b3b5fa817";
          $api_secret = "718a24nvmbha235faud23dv8ndwhcy23n";
          $post_fields = "userid=1";

          $post_url = "";

          $ch = curl_init();
          curl_setopt($ch, CURLOPT_URL, $post_url);
          curl_setopt($ch, CURLOPT_POST, 1);
          curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
          curl_setopt($ch, CURLOPT_HTTPHEADER, array('Authorization: Basic '.base64_encode($api_key.':'.$api_secret)));
          curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

          $post_return = curl_exec($ch);

          $result_obj = json_decode($post_return);
    2. Javascript (using jQuery):

      function b64EncodeUnicode(str)
          return btoa(encodeURIComponent(str).replace(/%([0-9A-F]{2})/g,
              function toSolidBytes(match, p1)
                  return String.fromCharCode('0x' + p1);

      var api_key = "a8246dd6a835b1df4qwd8503b3b5fa817";
      var api_secret = "718a24nvmbha235faud23dv8ndwhcy23n";
      var auth_str = 'Basic ' + b64EncodeUnicode(api_key + ":" + api_secret);

          type: "POST",
          url: "",
          headers: { "Authorization": auth_str },
          data: { userid: 1 },
          dataType: "json",
          success: function (data)
    3. Python using request:

      #!/usr/bin/env python

      import requests
      import base64
      import urllib

      api_key = "a8246dd6a835b1df4qwd8503b3b5fa817"
      api_secret = "718a24nvmbha235faud23dv8ndwhcy23n"
      user_data = {"userid": 1}

      b64_key = base64.b64encode("%s:%s" % (api_key, api_secret))
      headers = {"Authorization": "Basic %s" % b64_key}
      user_url = ""
      result_return =, headers=headers, data=user_data)

  2. API call with valid un-expired token

    API Call Tutorial