Support for

FLAPI: Authentication and Credentials

Alistair Wilson
by Alistair Wilson 8 years ago


Use the username and password we provide, in basic authentication.

Getting your App approved

You’ll need to obtain credentials (username, password) before you can use the API. Get your developer account details by speaking to w3p API support.

This guide documents the API interface itself. For licensing and legal, see

Your API credentials

Your credentials allow your systems to access w3p services via FLAPI. If someone else has your credentials, they too can access the same services, posing as your business.

It is important that you take reasonable measures to ensure that you do not publish your credentials:

  • Use SSL for API calls (use https:// instead of http://). 

  • If you experience problems due to unauthorised sharing of your credentials, then change your credentials, close the security hole, and update your services to use your new credentials.

  • Do not hard-code your credentials in every request call; instead use a variable containing the credentials.

    • Specify your credentials once, in a file on a private part of your server, and include it (by reference) in your framework or page code.

  • Do not allow your web server to show code that might display your credentials.

    • Do not use debug code in the production environment, which might reveal the contents of variables that contain your credentials.

    • Handle errors correctly, so they do not reveal the code that caused the error. If you want traceability, then handle and privately log the error, and optionally inform the user there was a problem along with a reference number that can be used for support.

    • Try to use syntax checkers and syntax-highlighting code editors, and separate the processing code from the presentation code. This helps to avoid serving code into your HTML pages.

  • Do not serve scripts or web pages that contain your credentials, i.e. do not design your systems so that your clients’ web browsers are making API requests directly. Instead, your servers should take minimal requests from your client’s pages, and then your servers issue the API requests to the API on your clients’ behalf.

  • Do not inject unprocessed user-supplied strings into expressions, e.g. do not use something like

    <?php $thatWorked = 'Insecure handy calculator: ' . eval( $userInput ); ?>



Jump to contents page of

Flyerlink API Guide


All content is (c) Nettl Systems Limited, 2024 and may not be used, copied or distributed without permission.