Merchants have to authenticate themselves using Basic HTTP Authentication to be able to use the API. Each HTTP request sent by a Merchant must contain an HTTP header with Site Code as a user name and Site Password as a password.
Although it should not ever be necessary to construct the authentication header manually, it is easy to do so.
Constructing the Authentication Header
The Site Code and Site Password are concatenated into a single string delimited by a colon. E.g.:
MyContosoSite1:P@ssw0rd?
The concatenated string is encoded into a Base64 string (using ASCII encoding):
TXlDb250b3NvU2l0ZTE6UEBzc3cwcmQ=
The encoded string is added to the HTTP request as an HTTP header like this:
Authorization: Basic TXlDb250b3NvU2l0ZTE6UEBzc3cwcmQ=
Notes
There is no kind of access token that merchants would have to remember between consecutive calls. That way, Merchants also does not need to handle related issues such as access token expiration. The same authentication header can be used as long as the credentials are valid. If the authentication fails (e.g. due to invalid credentials), the API methods returns HTTP status code 401 (Unauthorized).