Skip to main content

Authentication

The WikiParfum API uses API key authentication. Every request must include the key in the Authorization header. 
Authorization: <YOUR_API_KEY>
The API key uniquely identifies your integration and controls access to the platform.

GraphQL endpoint

All interactions are performed through a single GraphQL endpoint: 
https://api.wikiparfum.com/graphql

Server-side execution only

All WikiParfum API requests must be executed server-side. Client-side execution from browsers or mobile applications is not allowed. The required communication pattern is: 
Client → Your backend → WikiParfum API

Why server-side only

Executing requests server-side ensures:
  • API keys remain confidential
  • Requests can be validated and controlled
  • Abuse and unauthorized usage are prevented
  • Recommendation logic remains protected

IP allowlisting

Access to the WikiParfum API is restricted by IP address. Only requests originating from pre-approved IP addresses are accepted — all other requests are rejected regardless of whether a valid API key is provided. Before going live, you must provide the static IP addresses of the servers that will call the API. These are configured by ScentXP as part of your integration setup.
If your server IPs change (e.g., infrastructure migration, new environments), contact your ScentXP account manager to update the allowlist. Requests from non-listed IPs will be blocked.

Storing and securing API keys

API keys must never be exposed in frontend code. Recommended storage methods:
  • Environment variables
  • Server-side secret managers
  • Encrypted configuration stores
Do not:
  • Embed API keys in JavaScript bundles
  • Commit API keys to source control
  • Expose API keys in network requests visible to the client
Your backend should act as the only gateway between your applications and the WikiParfum API.

Rate limiting

Rate limiting may be applied to protect the platform and ensure fair usage across all clients. If your integration exceeds the allowed request volume, requests may be throttled or rejected. Design your integration with this in mind — implement caching where appropriate and avoid unnecessary repeated calls for the same data.