Skip to main content

Guide to Miscellaneous Integrator Authentication

info

If you are still in the development/testing stage of your integration or if you have received confirmation that you will receive a dedicated integration entry in our backoffice you can safely ignore this document.

Unsure if this document is for you, please read the 'Should I use Miscellaneous Integrator Authentication?' section for more information.

To ensure the security, transparency, and reliability of our software products, we have introduced a new authentication flow for custom and niche integrations. We call this Miscellaneous Integrator Authentication.

This guide explains what this authentication method is, why we implemented it, and provides a step-by-step walkthrough on how to connect your custom software to our public API.

Why Miscellaneous Integrator Authentication?

Our platform provides a public API that allows third parties to securely access customer data. For widely used, common integrations, we provide dedicated integration options in our backoffice application. Customers simply activate these from their dashboard and generate an API key to share with the integration partner.

However, we also support custom integrations built for specific use cases or limited subsets of customers—for example, a custom personnel management system built exclusively for a single restaurant chain.

The old system: previously, we provided a generic "misc" integration entry for all custom integrations. While functional, pooling all custom integrations under a single generic label severely limited our visibility. We had no insight into which specific integrator was accessing our API, making troubleshooting, usage tracking, and security monitoring difficult.

The new system: the Miscellaneous Integrator Authentication flow solves this by requiring custom integrators to register themselves. By exchanging a registration token along with the customer's API token, we generate a unique API key. This securely links the specific integrator to the API traffic, ensuring full transparency and better support for both you and the customer.

Should I use Miscellaneous Integrator Authentication?

While our public API is available to all our partners, the Miscellaneous Integrator Authentication flow is designed specifically for custom, niche, or private integrations. If you are unsure which authentication path is right for your application, consider the following guidelines:

Diagram depicting authentication choices
Yes
A handful max
I am developing an integration that is useful to multiple Winston customers
Into production
Use normal API authentication
Use the miscellaneous authentication API
Request a custom integration in the Winston backoffice
Access live production data
Register as an integrator
Receive tenant API key

Use standard API credentials if:

  • You are an established software provider (e.g., major accounting, delivery, or loyalty platforms) integrating with a large portion of the Winston POS customer base.
  • Your integration already has a dedicated, named entry in the Winston POS customer dashboard.

Use Miscellaneous Integrator Authentication if:

  • You are building custom internal tools: You represent a specific restaurant chain developing an internal tool, eg. a custom in-house personnel management system, custom reporting dashboard, or bespoke mobile app solely for your own locations.
  • You are a niche software provider: Your application provides highly specialized features aimed at a very limited subset of Winston POS customers.
  • You are piloting a new integration: You are testing a proof-of-concept with a single mutual customer before officially partnering with Winston POS for a standard, system-wide integration.

If your use case falls under the miscellaneous category, this authentication flow ensures you get the data access you need while providing us with the visibility required to support your integration securely and effectively.

Still not sure which authentication method is right for you? Contact us at [email protected].

How it works: step-by-step guide

There are two ways to get your integration authenticated: you can let our support team handle the setup for you, or you can complete the self-service steps below.

Support-assisted setup (recommended)

If you already have a mutual customer ready to integrate, our support team can handle the registration and activation process for you.

  1. Send an email to [email protected] stating that you want to set up a custom integration. Please include the name of the mutual customer.
  2. We will register you as an integrator and link the integration to the customer's account.
  3. We will reply with your integrator token and the final API key.
  4. You can skip directly to Step 3: Accessing the API below.

Self-service setup

If you prefer to handle the registration and activation yourself, follow the steps below.

Step 1: Integrator registration

Before making any API calls, you (the integrator) must register your application with us.

  1. Navigate to the registration portal.
  2. Fill in the required details about your application and organization.
  3. Upon successful registration, you will receive an integrator token.
note

We will only use this information internally to help with support, to contact you in case of any issues with your integration, and to keep you updated on major API changes (like the v2.0 update).

Step 2: Customer activation

Next, the mutual customer whose data you need to access must authorize the connection.

  1. Share your integrator token with the customer.
  2. If not already activated, the customer asks the Winston POS support team or their dealer to enable the 'Misc' integration feature for their account.
  3. The customer logs into their Winston POS backoffice.
  4. They navigate to the 'Integrations' section and find the 'Misc' integration entry.
  5. They enter your integrator token to link the integration to your application.
  6. Once linked, the system will generate an API key for that customer, which they can share with you.

Step 3: Accessing the API

You are now fully authenticated.

Use the Final API Key obtained in Step 2 for all subsequent requests to our API endpoints. Include this key in the authorization headers of your HTTP requests as specified in our endpoint documentation.
The app name for Miscellaneous Integrator Authentication is misc.

The correct HTTP header format is as follows: Authorization: Token misc@<your final API key>.

Summary of Tokens

Token NameWho Generates It?Purpose
Integrator tokenIntegrator (via registration portal)Identifies your specific custom application/company to Winston POS.
Misc API keyCustomer (via backoffice)Proves the customer has authorized a custom integration to access their data.
Final API keyWinston POS API or backofficeThe actual key used in headers to authenticate standard API requests. Links the integrator and customer together.
Last updated on