Core concepts

Security

All API requests must use HTTPS and token-based authentication. Follow security best practices to protect your credentials and customer data.

Transport (TLS)

All calls to the API must take place over a secured layer through TLS (HTTPS). Requests made over HTTP will be rejected.

Tokenization

Security is provided through the use of tokens generated in the HLC web store. Tokenized security provides a higher level of protection and allows customers to control when access tokens or login tokens need to be changed.

Token Types

HLC supports two token types:

  1. Access Token: Required for all API endpoints (except /System/Token)
  2. Login Token: Used for auto-login flows in the web store

Getting Started with Tokens

Accessing Token Management

To access the token creation system:

  1. Log into the HLC web store at www.hlc.bike
  2. Navigate to My Account → User Settings
  3. Expand the row of the desired user ID
  4. Select the External Services tab

Note

The External Services tab must be enabled by a site administrator before you can access token management.

Token Operations

To generate a new token:

  • Find the section for the token type you wish to create (Access or Login)
  • Press the Generate Token button

To remove an existing token:

  • Find the section for the token you wish to remove
  • Press the Clear Token button

Important

Tokens that are removed are no longer valid and cannot be used to connect to the API.

To regenerate a token:

  1. Clear the old token (if not already done)
  2. Generate a new token

Using Access Tokens

Every API call requires an access token except for the /System/Token endpoint. The access token must be added to the request in the HTTP authorization header.

For API v3.0

Use the ApiKey header:

const baseUrl = 'https://api.hlc.bike/us/v3.0'
const apiKey = process.env.HLC_API_KEY

const res = await fetch(`${baseUrl}/Catalog/Brands`, {
  headers: {
    ApiKey: apiKey,
    language: 'en',
    callerName: 'dealer-portal',
  },
})

const brands = await res.json()

For API v4.0+

Use the Authorization header:

const baseUrl = 'https://api.hlc.bike/us/v4.1'
const apiKey = process.env.HLC_API_KEY

const res = await fetch(`${baseUrl}/Catalog/Brands`, {
  headers: {
    Authorization: apiKey,
    language: 'en',
  },
})

const brands = await res.json()

C# Example

using (var client = new HttpClient())
{
    client.BaseAddress = new Uri(URL_HOST_API);
    client.DefaultRequestHeaders.Add("ApiKey", accessToken);
    client.DefaultRequestHeaders.Add("language", "en");

    var response = await client.GetAsync("/Catalog/Brands");
    var content = await response.Content.ReadAsStringAsync();
}

Using Login Tokens

A Login Token enables the auto-login service, allowing users to authenticate automatically without entering credentials. This is useful for deep-linking users into specific carts or pages.

Token Requirements

The login token must be Base64 encoded before use.

Auto-Login URL Structure

https://www.hlc.bike/auto-login?token={BASE64_ENCODED_TOKEN}

With Cart ID

To automatically load a specific cart upon authentication:

https://www.hlc.bike/auto-login?token={BASE64_ENCODED_TOKEN}&cartId={CART_ID}

JavaScript Example

const loginToken = process.env.HLC_LOGIN_TOKEN
const base64Token = Buffer.from(loginToken).toString('base64')
const cartId = 12345

const autoLoginUrl = `https://www.hlc.bike/auto-login?token=${base64Token}&cartId=${cartId}`

// Redirect user
window.location.href = autoLoginUrl

Use Case

A dealer portal can use login tokens to redirect users without requiring them to log in manually:

  • Direct customers to saved shopping carts
  • Pre-populate orders based on external data
  • Seamless integration between custom applications and the HLC web store

Security Best Practices

Best Practices

  • Store tokens securely: Never expose tokens in client-side code or public repositories

  • Use environment variables: Store tokens in .env files excluded from version control

  • Rotate tokens regularly: Generate new tokens periodically to maintain security

  • Monitor token usage: Log all API calls for auditing and troubleshooting

  • Implement rate limiting: Protect your application from excessive API calls

  • Use HTTPS only: Never transmit tokens over unencrypted connections

  • Restrict token access: Limit who can view and manage tokens in your organization

Troubleshooting

Common Issues

401 Unauthorized

  • Verify the access token is valid and hasn't been cleared
  • Check that you're using the correct header name (ApiKey for v3.0, Authorization for v4.0+)
  • Ensure the token hasn't expired or been regenerated

403 Forbidden

  • Verify your account has permission to access the requested resource
  • Check that the External Services tab is enabled for your user

Connection Refused

  • Ensure all requests use HTTPS, not HTTP
  • Verify the base URL matches your region (US/CA)
Previous
One API, all versions
Next
SKU