Ensuring Secure API Integration: Understanding HQ Rental Software Authorization Tokens
When you connect your systems to a mission-critical platform, secure authentication is non‑negotiable. HQ Rental Software Authorization Tokens make it straightforward to authenticate API requests reliably—so you can build integrations that are both secure and resilient. In this guide, you’ll learn exactly how HQ Rental Software Authorization Tokens work, how to construct the header correctly, which regional base URLs to use, and the practical security steps that keep your credentials safe.
What are HQ Rental Software Authorization Tokens?
HQ Rental Software uses a simple, robust scheme to authenticate API requests. Two credentials come together to form your HQ Rental Software Authorization Tokens:
- Tenant Token: Identifies your company in the system. You can find it in Settings > Integrations > Api Token.
- User Token: Identifies the user interacting with the API. Generate it in Settings > Users by opening the user’s details (click the full name) and selecting Generate new token.
These two tokens are combined and encoded to produce the final authentication value you send with each API request.
How the authorization header is formed
- Concatenate the tokens using a colon:
generated_token = tenant_token:user_token
- Encode that string in Base64.
- Add the result to your HTTP headers as:
Authorization: Basic {AUTHENTICATION_TOKEN}
You can generate {AUTHENTICATION_TOKEN} yourself or receive it from the HQ support team upon requesting API Access.
Tip: For quick tests, you can Base64‑encode the concatenated string using a tool like https://www.base64encode.org/. For production systems, prefer your programming language’s standard Base64 utilities.
Regional Base URLs you can target
Your base URL depends on the region where your system is hosted. When you request API Access, the team will share a Postman Collection with the correct base URL for your system. It will be one of the following:
- America:
https://api.caagcrm.com/api/ - America 3:
https://api-america-3.caagcrm.com/api-america-3/ - America West:
https://api-america-west.caagcrm.com/api-america-west/ - America Miami:
https://api-america-miami.caagcrm.com/api-america-miami/ - Europe:
https://api-europe.caagcrm.com/api-europe/ - Asia:
https://api-asia.caagcrm.com/api-asia/
Always use the base URL that matches your system’s region.
Token components at a glance
| Component | Purpose | Where to find/generate |
|---|---|---|
| Tenant Token | Identifies your company (tenant) | Settings > Integrations > Api Token |
| User Token | Identifies the API user | Settings > Users > open user details > Generate new token |
| Auth header | Sent with every API request | Authorization: Basic {AUTHENTICATION_TOKEN} |
| Base URL | Directs requests to your region | Provided when you request API Access (see list above) |
Step-by-step: Building the HQ Rental Software Authorization Tokens
Follow this sequence whenever you set up a new integration or rotate credentials.
1) Retrieve your tokens
- Copy your Tenant Token from Settings > Integrations > Api Token.
- Generate and copy a User Token from Settings > Users (open the user’s profile and select Generate new token).
2) Concatenate and encode
- Create the string:
tenant_token:user_token - Encode that exact string in Base64 to produce
{AUTHENTICATION_TOKEN}.
Examples for encoding (use your actual tokens):
- JavaScript/Node.js
const token = Buffer.from(`${tenantToken}:${userToken}`).toString('base64'); // Header: Authorization: Basic ${token}
- Python
import base64 token = base64.b64encode(f"{tenant_token}:{user_token}".encode()).decode() # Header: Authorization: Basic {token}
3) Send the header on every request
Include the header:
Authorization: Basic {AUTHENTICATION_TOKEN}
If you requested API Access, you can also receive the needed details (including your region’s base URL) along with a Postman Collection to streamline testing.
What can you access once authenticated?
With proper authentication in place, you can integrate with key areas of HQ Rental Software, including modules such as:
- Booking Engine and Reservation flows (creation and updates)
- Emails (templates, triggers, and reservation communications)
- Comments and Currencies
- Inventory (categories, items, prices, purchase orders, stock)
- Invoices (items, payments, email sending, voiding)
- Files and Sheets
- Connection tokens for Stripe Terminal
Your specific integration will determine which modules you call, but all authenticated requests follow the same header pattern described above.
Security best practices for handling tokens
Treat HQ Rental Software Authorization Tokens as secrets. Adopt these practices to reduce risk and improve resilience:
- Store secrets outside code: Use environment variables or a secure secrets manager. Never hard‑code tokens in source files.
- Limit exposure: Keep tokens server‑side. Do not embed them in client‑side code or public repositories.
- Avoid logging sensitive values: Mask or omit tokens in application logs and error messages.
- Rotate tokens periodically: Regenerate User Tokens on a schedule and after staff changes or suspected compromise.
- Use least privilege for API users: Assign access appropriate to the integration’s needs.
- Protect build and CI/CD systems: Ensure pipelines and config repositories handle secrets securely.
- Verify TLS: Always make requests over HTTPS to prevent interception.
- Test with throwaway credentials: During development, work with test users and rotate often.
Request header examples (copy-ready)
Use these exact forms, substituting your encoded value for {AUTHENTICATION_TOKEN}:
Authorization: Basic {AUTHENTICATION_TOKEN}
And pair it with the base URL for your region (see the Regional Base URLs section). Send this header with every API call you make to HQ Rental Software.
Quick answers (optimized for fast lookup)
How do I generate the HQ Rental Software Authorization Token?
- Get the Tenant Token from Settings > Integrations > Api Token.
- Generate a User Token in Settings > Users (open the user and select Generate new token).
- Concatenate as
tenant_token:user_token. - Base64‑encode the string.
- Send
Authorization: Basic {AUTHENTICATION_TOKEN}with each request.
Where do I find the Tenant Token and User Token?
- Tenant Token: Settings > Integrations > Api Token
- User Token: Settings > Users > open user details > Generate new token
What should my Authorization header look like?
Authorization: Basic {AUTHENTICATION_TOKEN}
Which base URL should I use?
Use the base URL for your region. It will be one of:
- America:
https://api.caagcrm.com/api/ - America 3:
https://api-america-3.caagcrm.com/api-america-3/ - America West:
https://api-america-west.caagcrm.com/api-america-west/ - America Miami:
https://api-america-miami.caagcrm.com/api-america-miami/ - Europe:
https://api-europe.caagcrm.com/api-europe/ - Asia:
https://api-asia.caagcrm.com/api-asia/
Can I use an online tool to encode the token?
Yes. For quick checks, you can use a Base64 tool such as https://www.base64encode.org/. For production systems, rely on your language’s standard Base64 libraries.
Practical takeaways for a smooth integration
- Follow the exact header format: A correct
Authorization: Basic {AUTHENTICATION_TOKEN}header prevents most 401/403 issues. - Mind whitespace: Ensure there are no extra spaces or line breaks in your concatenated string before encoding.
- Keep tokens synchronized: If you regenerate a User Token, update any services that use it immediately.
- Centralize configuration: Set base URLs and tokens in one config location to avoid mismatches across services.
- Document your process: Record how you generate, store, rotate, and revoke tokens as part of your internal runbooks.
Integrate securely—and build more, faster
Getting authentication right unlocks a reliable foundation for deeper automation—across reservations, invoicing, inventory, and more. Once you’ve set up HQ Rental Software Authorization Tokens and your regional base URL, you’re ready to explore modules like the Booking Engine, Fleet Management workflows, and 30+ Integrations that support your rental operations.
Ready to move forward?
- Start a Free 7‑day trial to see how HQ streamlines daily work—no credit card required.
- Request API Access to receive your Postman Collection and the correct base URL for your region, then authenticate using the steps above.
Build with confidence, authenticate every call, and scale your rental business with HQ Rental Software.