Best Practices

Owned by Richard Potter (Unlicensed)
Last updated: Apr 11, 2022 by ali.saoud (Unlicensed)
2 min read

Consuming the MTOA web API (MTAPI)

The MTOA web API can be consumed by services in three different ways:

1. Using an existing Application Template based on the MTOA Framework (C# / .NET applications only)

If you are starting your application from scratch, you may find it helpful to start with an existing application template, such as Cost Recovery Service Request (CRSR) or the Generic Service Onboarding Template.
https://dev.azure.com/ETP/myTCAccount Integration Samples

When using an application template, most of the tasks such as GCKey and Windows authentication are already handled for you and a set of APIs to call the MTOA REST APIs are already built-in.
Those APIs also include much of the functionality required to help troubleshoot issues.

Using an application template also makes it easier to consume enhancements and bug fixes to the MTOA Framework using NuGet package updates.

2. Using the MTOA Web Service Client (C# / .NET applications only)

If you have an existing .NET application but you need to use some of the existing MTOA functionality, we also provide a C# NuGet packages that provides C# APIs to the MTOA REST APIs. The MTOA Web Service Client can be easily updated through NuGet package updates, it provides a reliable way of staying up to speed with the latest MTOA APIs.
See Using myTC Account NuGet Packages for more.

3. Direct Web API Calls

Using this method, you write your own code to consume the MTOA web API’s. All API endpoints are documented along with their equivalent web service clients in this section.

We recommend using Direct Web API calls for applications that aren’t written in C# or that are unable to consume the MTOA Web Service Client NuGet packages.

Caveats

Once you’ve decided which approach works best for you, you should avoid using multiples approaches in the same application. For example, if you’re using an application template that uses the MTOA Framework, you should avoid using direct MTOA web API calls or even using the MTOA Web Service Client.
When using the MTOA Framework, an application automatically embeds information about the user and session data in the HTTP header. When an application uses the MTOA Web Service Client that information isn’t provided. If an application uses both, the information provided in the log files may become inconsistent, making debugging difficult.

Safe and Secure Handling of API Keys and JWT Tokens

It is currently the responsibility of the development team to ensure that the keys sent to them are used, stored and handled in a secure fashion. 

·         Always send credentials using a secure encrypted email (do not paste them into chat applications)

·         Don’t commit production or public-facing API keys into source control

API keys used in a deployment script should be injected in a secure manner by a build pipeline.