***

title: Authentication
subtitle: How to authenticate with CPS APIs
slug: authentication
--------------------

The Convention Photography System uses different authentication methods depending on the platform and endpoint type.

## Public Endpoints

Most photo gallery endpoints require no authentication:

* **Event browsing**: `GET /event`
* **Photo viewing**: `GET /event/{eventCode}`
* **Sub-folder access**: `GET /event/{eventCode}/{day}/{session}`

These endpoints are publicly accessible to allow customers to browse available photos.

## Order Endpoints

Ordering platform endpoints may require additional verification:

### CAPTCHA Protection

Order submission requires CAPTCHA verification to prevent spam:

```javascript
// Example CAPTCHA integration
import { verifyCaptcha } from 'captcha-service';

const submitOrder = async (orderData) => {
  const captchaToken = await verifyCaptcha();
  const response = await fetch('/api/orders/create', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json',
    },
    body: JSON.stringify({
      ...orderData,
      captchaToken
    })
  });
  return response.json();
};
```

### Email Verification

High-value orders may require email confirmation:

1. Submit order with email address
2. Receive confirmation email with verification link
3. Click link to complete order processing

## Admin Endpoints

Administrative functions require authentication:

* **Order management**: `GET /api/orders/*`
* **Status updates**: `PUT /api/orders/{id}`
* **Shipping updates**: `POST /api/orders/{id}/update-shipping`
* **Sales reports**: `GET /api/orders/summary`

### Admin Authentication

Contact CPS support for admin access credentials.

## API Keys (Future)

Future versions may implement API key authentication for:

* Third-party integrations
* Bulk photo access
* Automated order processing

## Security Best Practices

### Rate Limiting

* Public endpoints: Unlimited browsing
* Order endpoints: CAPTCHA required
* Admin endpoints: Authenticated access only

### Data Protection

* Customer emails encrypted in transit
* Order data stored securely in Google Sheets
* Shipping addresses validated via USPS

### CORS Policy

All APIs include CORS headers for web integration:

```
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT
Access-Control-Allow-Headers: Content-Type, Authorization
```

````

## Using components

Fern provides [built-in components](https://buildwithfern.com/learn/docs/writing-content/components/overview) for common documentation patterns:

<div>
<Note>
Highlight important information with callouts.
</Note>

<CardGroup cols={2}>
  <Card title="First card" href="/page-one">
    Card description
  </Card>
  <Card title="Second card" href="/page-two">
    Another description
  </Card>
</CardGroup>
</div>

```jsx Markdown
<Note>
Highlight important information with callouts.
</Note>

<CardGroup cols={2}>
  <Card title="First card" href="/page-one">
    Card description
  </Card>
  <Card title="Second card" href="/page-two">
    Another description
  </Card>
</CardGroup>
````