Permission Request

API definition

The API definition for a permission request is available at https://services.cro.ie/cws/customerapi/help/operations/permissionrequest

Rationale for Permission Request

If a Customer was to check their Account Balance, and purchase documents through the Company Search website, they would log into the website using a Customer Number and PIN.

A permission request can be viewed similarly. Getting the balance on a customer account, or purchasing a document using Open Services, requires a Customer Number and PIN. The permission request ensures that a Customer is providing valid credentials. It also checks that the Customer is in fact linked to an API Key issued through Open Services.

If a permission request is successfully executed, an authorization key is returned. This key is then appended as a query string parameter to the subsequent request.

URL

The URL for a permission request is:

 https://services.cro.ie/cws/customerapi/account/permissionrequest

The verb used to call this URL must be Http POST.

Request Body

In addition to supplying an Authorization Header, the Request Body in the Http POST must contain a number of values supplied in JSON format. Values can be supplied in any order. The values are explained as follows:

Value Description
customer_num The Customer Number (mandatory). This is the same Customer Number that you would use to log into the CRO Company Search website
customer_pin The Customer PIN (mandatory). The matching PIN for the Customer Number entered above
time_to_live The "time to live" for the request (mandatory). The value must be an integer, representing the number of seconds that the authorization key will be valid for. 60 seconds is a practical minimum, although you can use a shorter time if you wish. Note that high latency could cause authorization keys to expire, so it is not practcal to set it too short. The maximum allowed value is 3600 seconds (i.e. 1 hour).
requested_method This is where you will indicate what you are looking for permission to do next. Only two values are currently acceptable here:
  • balance - if you intend to get the account balance, supply the word "balance"
  • document - if you intend to purchase a document, supply the word "document"
  • printout - if you intend to purchase a company printout cdocument, supply the word "printout"
doc_id Only necesssary if requested_method is set to "document".

The "doc_id" is available when you grab the SubmissionDoc details. Please refer to the data dictionary and the submission help pages for more info. (If Bulk Data Customers are using this service, this may be called "Filenet Doc Id" in your specification.)

Response Status Codes

The following is the list of possible Status Codes returned in the Response.

If 200 OK is not returned, the returned status message will contain details of the error message. You should check the contents of the status message in the event of any return code other than "200 OK".

Response Explanation
200 OK Success. An Authorization Key is returned.
400 Bad Request This can happen in any of the following situations:
  • One of the required values in the Request Header is missing
  • The time_to_live is not a valid integer representing a number of seconds
  • If "document" was specified as the requested_method, a value for doc_id must also be specified. It is possible that the doc_id was ommitted
401 Unauthorized This can happen in any of the following situations:
  • The credentials in your Authentication Header are invalid (i.e. the Base64 encoded version of emailaddress:apikey)
  • The customer number specified in the Request Body is not linked to the API Key encoded in the Authorization Header. You must specifically request from the CRO for the API Key to be linked to your Customer Account Number
  • The customer_num and customer_pin specified in the Request Body are not correct. The same credentials should be usable on the Account Login page in the Company Search Site
404 Not Found This occurs when the "requested_method" is set to "document", but the "doc_id" specified does not actually exist. In other words, a request was made for permission to get a document which does not exist
412 Precondition Failed Two possible reasons:
  • Permission was requested to get an Authorization Key to stream a document, but there is an insufficient balance on the account to go ahead with the purchase. The workaround is to deposit funds in your account using the Company Search website.
  • The value specified for "time_to_live" is too high. A maximum of 3600 is allowed (this is equal to 1 hour).

Example 1: Permission Request for Account Balance

Let's assume that an Open Services user has the following credentials:

[email protected]:0903f484-1db9-4245-a542-737e0ec2a548

When we Base64 encode this and include in the Authorization Header, the full Authorizaton Header becomes:

Authorization: Basic dGVzdEB0ZXN0aW5nLmNvbTowOTAzZjQ4NC0xZGI5LTQyNDUtYTU0Mi03MzdlMGVjMmE1NDg=

You must also specify the Content-type as JSON:

Content-Type: application/json;charset=UTF-8

Now, assume that the Customer Number is 1234. The Customer PIN is ABC123. And finally, the Customer wants the Authorization Key to be valid for 5 minutes.

Here is the JSON that must be supplied in the Request Body:

{"customer_num":"1234","customer_pin":"ABC123","requested_method":"balance","time_to_live":"300"}

Assuming the call returns a 200: SUCCESS, an Authorization Key is returned as a string. A sample Authorization Key might look something like this:

"EAAAAGQl%2bp42SfKXBTUfyh48320KHgBzxpur6%2fMrWYuWd2x9ZpUpSlezmdaPlAlHGDED3fEBOMF3SjW6biZFkazgp0hieB75C1T3pXPRgOoLGSFF"

The above key can then be used in a query string to request the Account Balance.


Example 2: Permission Request to retrieve a Document

Assume that the Open Services user has the following credentials:

[email protected]:0903f484-1db9-4245-a542-737e0ec2a548

When we Base64 encode this and include in the Authorization Header, the full Authorizaton Header becomes:

Authorization: Basic dGVzdEB0ZXN0aW5nLmNvbTowOTAzZjQ4NC0xZGI5LTQyNDUtYTU0Mi03MzdlMGVjMmE1NDg=

You must also specify the Content-type as JSON:

Content-Type: application/json;charset=UTF-8

The Customer Number is 1234. The Customer PIN is ABC123. The Customer wants the Authorization Key to be valid for 1 minute. This Customer wants to retrieve doc_id 56566674.

Here is the JSON that must be supplied in the Request Body:

{"customer_num":"1234","customer_pin":"ABC123","time_to_live":"60","requested_method":"document","doc_id":"56566674"}

Assuming the call returns a 200: SUCCESS, an Authorization Key is returned as a string. A sample Authorization Key might look something like this:

"EAAAAMCJlm%2flJlEUMSwjULtRey8uAO%2fkZRMWcLrEaiukHAb0pksSnYOb4OMY%2f2ECi%2bISqKqN1Pm3d6dblxOjLbo7acUilodR
pmI%2bKuGTxqI6NGEXF8WmYWUSNQxbO8lXZzKvrg%3d%3d"

The above key can then be used in a query string to retrieve the document as a byte stream.

© 2022 - Companies Registration Office, Bloom House, Gloucester Place Lower, Dublin 1, Ireland.