Best Practices
BHN Distribution Mandates
- BHN instructs partners not to store sensitive card details (Card Number, Expiry Date, PIN, etc.) to comply with the Brand distribution mandate.
- Partners can access card information conveniently through BHN's eCodeHosting service, ActivationSpot. This mobile-friendly web app can be easily integrated (via iFrame) into a partner's mobile platform.
- Partners are advised against pre-fetching card details as some brands classify this information as PCI, which could extend the scope of PCI compliance if stored persistently.
Key Data Attributes for Partners
The partner integrating with BHN should keep certain values created by BHN in their systems. This includes, but is not limited to:
| BHN Attributes | Comment |
|---|---|
| OAuth Access Token | Used to make secure calls to BHN Gateways |
| ProductId (product identifier) and other product meta-data | Used to place the order |
| Order ID | Used to query status and associated gift-card details |
| Order Line Item ID | Used to query status and associated gift-card details |
| Egifturl | Used to author the eCode Hosting URL. |
What is Idempotency?
Idempotency allows for a system to safely make accidental duplicate requests on the same API operation without the operation being executed twice.
How do we do it?
In the create operations for orders, we enforce idempotent requests. Parts of the request attributes are used to create an idempotency key.
| Attributes | Description | Required | Defaults |
|---|---|---|---|
| EXTERNAL_ID | The request identifier for the caller | True | |
| EXTERNAL_PO_NUMBER | This is partner purchase order number | False | Defaults from Tenant config |
<EXTERNAL_ID>:<EXTERNAL_PO_NUMBER>:\
This generated key is indexed and is checked on subsequent requests to check for duplicates. When a duplicate request is found, we return http codes. The below table describes the API's which support Idempotency and their success and duplicate codes.
| API | Success Code | Duplicate Code | Order Detail |
|---|---|---|---|
| POST /orders | 201 | 200 | original order returned in the response |
How to manage tokens?
Access tokens usually expire after a certain period. Your application should smoothly manage token expiration by either refreshing it with the provided refresh token or by going through the authorization process again to get a new token.
Make sure to securely store access tokens and sensitive data. Use secure storage methods or environment variables to prevent unauthorized access.
Avoid browser-based API calls
We do not allow browsers to POST calls. Attempts to do so, will result in an authorization error (403.001).
For best practices, we recommend you use non-browser tools for all API calls.
Updated 8 months ago