ReewildAuthentication & Registration
Learn how to authenticate with Reewild's PlanetPoints API and manage your API credentials securely.
Overview
Reewild uses a client credentials authentication model to secure API access. Every API request must include authentication headers containing your unique client credentials. This ensures that only authorized partners can access the PlanetPoints system.
Getting API Access
Registration Process
Visit the Developer Portal - Go to the Reewild developer portal from your preferred browser.
Sign In - Click Login and choose your preferred authentication method (Gmail or GitHub).
Complete Your Profile - Enter your organization and developer information when prompted.
Create an Application - Navigate to the Applications section and select "Create Application".
Configure Your Application - Provide:
- Application name
- Organization details
- Logo URL (publicly accessible image)
- Webhook URL (where you'll receive event notifications)
- Redirect/deep link URL (where users return after completing flows)
Receive Credentials - After successful creation, you'll receive:
- Sandbox credentials - Available instantly for development and testing
- Production credentials - Require approval for live integration
What You'll Receive
Your API credentials package includes:
- Client ID (
x-client-id) - A public identifier for your application - Client Secret (
x-client-secret) - A secret key used to authenticate requests - Webhook Signing Secret - Used to verify webhook signatures
You can download your credentials as a JSON file or copy them directly from the portal. Store them securely—the client secret is only shown once.
Authentication Model
How It Works
Reewild's authentication is stateless and header-based:
- Every API request must include both
x-client-idandx-client-secretheaders - Server validates credentials on each request
- No tokens or sessions - authentication is per-request
Authentication Headers
All API requests require two headers:
| Header | Purpose |
|---|---|
x-client-id | Identifies your application |
x-client-secret | Secret key for authentication |
Both headers must be present in every request, or the API will return a 401 Unauthorized error.
Environments
Production Environment
- Use for live user data
- Real receipt processing and points awarding
- Requires approved production credentials
Sandbox Environment
- Use for development and testing
- Simulated receipt processing
- Available immediately after application creation
- Safe to experiment with integration flows
Complete all integration testing in sandbox before requesting production access. You can toggle between Sandbox and Live modes in the developer portal.
Security Best Practices
Credential Management
Your x-client-secret is equivalent to a password. Never expose it in client-side code, public repositories, or logs.
Do's:
- Store credentials in environment variables or secure vaults
- Rotate credentials if compromised (available in the portal)
- Use separate credentials for sandbox and production
- Restrict API access to authorized backend servers only
Don'ts:
- Never commit credentials to version control
- Don't log credentials in application logs
- Avoid sending credentials in URL query parameters
- Never expose credentials to frontend/mobile apps
Credential Rotation
If you suspect your credentials have been compromised, you can rotate them directly in the developer portal:
- Navigate to your application settings
- Select "Rotate Client Secret" or "Rotate Webhook Secret"
- Update your systems with the new credentials
Common Authentication Errors
| Status Code | Error | Solution |
|---|---|---|
401 | Invalid credentials | Verify credentials match your environment (sandbox vs. production) |
401 | Missing authentication headers | Ensure both headers are present in every API call |
403 | Forbidden | Contact support to verify your account permissions |
Next Steps
Once you have your credentials configured: