Let's make a non-tech company API enabled

My father in law runs a local trucking & transportation company which recently adopted a new Trucking Management System. The new TMS offers API based workflows but the API does not support scoping so it is unsuitable for direct usage by customers.

Steele’s Transportation Group wanted a way for customers to be able to integrate with their own systems and allow automated information transfer. Since we couldn’t give customers direct access to the API, I was asked to develop a solution that would allow a customer to develop API integrations without risking unintended exposure of sensitive data.

Lots of research and digging later, I was able to identify a simple solution that would be lightweight and low maintenance. The solution is based on hiding the access_token provided by the TMS, and instead issuing a JWT for the customer that ensures they must pass through our relay where we can direct the request to the appropriately scoped endpoint.

“Programs must be written for people to read, and only incidentally for machines to execute.” — Harold Abelson