IP address based authentication for institutional subscribers of Scopus/ScienceDirect:
This is the default for any newly registered APIKey. Clients authenticating this way get access to all content associated with their institutional account.
"Token-based" authentication, which includes:
Using tokens from our Authentication API to resolve IP address conflicts for institutional subscribers of Scopus/ScienceDirect
Using a proprietary token (an "Institutional Token") created for you by our integration support team
Using OAuth. We offer an oauth implementation for developers wanting to integrate ScienceDirect and/or Scopus content into client-side applications requiring access to user level (rather than institutional) content
Each APIKey provides access to a limited amount of content by default, as documented here.
Automatic IP address based authentication for institutional subscribers of Scopus/ScienceDirect
First, register for an API Key here. You hard-code this API Key into your application.
You either submit the APIKey within a request URL parameter:
Our systems automatically associate your request with your customer account and return content according to that account's entitlements.
Sometimes we associate multiple IP addresses with different accounts in our account management system. In these situations your code needs to capture and maintain a security device we call an "authtoken"
After obtaining an authtoken from the Authentication API, the client submits the authtoken with each API request.
The following diagram and step-by-step explanation explains this logic in more detail.
A) Your client application (i.e. your IR system) sends an http GET request to the Authentication API, declaring the product platform you need...
This authtoken represents a specific customer's entitlements to Scopus.
E) After capturing the authtoken, you can send requests to the Content APIs.
F) The APIs check your API Key for validity, and also check for an expired authtoken.
If the key and authtoken are valid, the APIs apply appropriate account entitlements and respond with a payload. If invalid, the APIs respond with an error.
Note: An authtoken expires two hours after issuance by the Authentication API.
G) The data payload is processed by your client application.
An insttoken is an additional security token submitted in tandem with your APIKey.
Insttokens are only available to customers or partners working on behalf of a customer. If Elsevier grants you an insttoken, there are restrictions to follow:
The insttoken must be kept secure server-side in a password protected environment.
It can't appear in any browser side code
It can't appear in the address bar
The insttoken represents full access to a customer account within our authentication and entitlements system