# Authorization

To access secured endpoints, the third party must send a request containing a valid token generated using their secret, a nonce (number used once), and their client ID.

In order to access secured endpoints using the Secret and Nonce-Based Authorization method, you'll need to follow these steps to generate the required credentials and use them to send authorized requests:

1. **Obtain your Client ID and Secret**: You'll need a unique Client ID and a Secret provided by honei Support Team. Make sure to store the Secret securely, as it is crucial for generating valid tokens.
2. **Obtain Venue API Key**: This key identifies a specific venue registered in honei and is used to authorize requests related to that venue. Each restaurant will have a different unique identifier.
3. **Generate a Nonce**: For each request, create a unique and random string called a nonce. This value should be long enough and sufficiently random to prevent collisions (two requests generating the same nonce).

```javascript
const crypto = require("crypto");

function generateNonce() {
  return crypto.randomBytes(16).toString("hex");
}
```

3. **Generate a Token**: Use the Secret, the generated nonce, and a SHA-256 hashing algorithm to create a token. Concatenate the nonce and the Secret, hash the result, and then encode the hash in Base64.

```javascript
const crypto = require("crypto");

function generateToken(secret, nonce) {
  const hash = crypto.createHash("sha256");
  hash.update(nonce + secret);
  const token = hash.digest("base64");
  return token;
}

const secret = "your_secret_here";
const token = generateToken(secret, nonce);
```

4. **Send an Authorized Request**: Include the generated token, nonce, and your Client ID in the HTTP headers when sending a request to a secured endpoint. Use the following header names:
   * `x-client-id`: The unique identifier for the authorized third party.
   * `x-nonce` : The unique and random string generated by the third party for the request.
   * `x-token` : The Base64-encoded hash of the nonce concatenated with the secret.
   * `venue-api-key`: The unique identifier provided by the honei support team for the specific venue.<br>

<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://integration.honei.app/authorization.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.