Core APIs One-Sheet

SessionM provides this one-sheet summary of the platform's core APIs.


SessionM offers over 300 REST APIs to our merchant clients. These REST APIs are powered by JSON data over HTTP and support both server-to-server and client-to-server transactions.

The APIs collectively unlock SessionM's marketing automation and data management capabilities to allow marketers to drive personalized customer relationships through the mobile device and across channels.

The platform and its associated services are sold to enterprise class merchants. SessionM operates globally, with over 40 clients actively using its platform. The biggest customers are Starbucks (QSR), Urban Outfitters (Retail) and Air Canada (Travel and Hospitality).

Authentication and Security

Basic authentication is used for SessionM APIs, and, in select cases, IP allow-lists can be enabled. Credentials are generated through an administrative portal by project team members and can be rotated through that mechanism - in coordination with clients or revoked immediately, if needed.

Authorization is in place for accessing different services and/or data. All APIs validate a specific client key against functional and data access capabilities. The minimum SSL/TLS version supported is TLS1.2+. Customer IP address white-listing is available upon request, something typically available for SessionM's largest clients.

The APIs can process PII, such as a customer's name, age, gender, and address. However, the system does not store or process PCI data, which can include sensitive consumer behavioral data; for example, purchase transactions detailed to the SKU level as well as store location and/or channel.

The DDoS solution protecting the platform's API is AWS Shield. Note too that monthly vulnerability scans are conducted against the APIs via Mastercard Corporate Security, and 3rd party penetration tests are executed against them annually.


Request throughput in production over the last 6 months shows a platform-wide aggregate API throughout of ~4000 TPS (~60BN total API calls). The platform has an uptime SLA of 99.5%, which is measured via 3rd party monitoring of key API touch points.

SessionM uses AWS CloudWatch, SignalFx and Xymon for system and application monitoring. Also note that extensive alerting on system and application health exists. Continuous performance testing capabilities are currently under development; as is continuous capacity/load testing capabilities executed against the APIs.

The SessionM Platform is dependent on many client side systems, and the platform itself relies on AWS and Azure cloud services. Capacity and API performance is monitored in 5 second intervals across multiple dimensions. Each class of computing resource has a custom machine image. Computational resources are added to elastic load balancers as demand increases. In the event of a failure, monitoring software will make the DevOps team aware as well as support personnel. If, for example, connectivity between the platform and the client's server fails, calls are queued and processed once connectivity returns.

SessionM, on occasion, will deprecate an API or group of APIs in favor of newer API versions or because support for the respective products is ending soon. In this case, once deprecated, SessionM will support these APIs until the last client has been migrated off them. Clients are informed and it is typical for SessionM to get a reasonable date in the future when clients should be migrated. SessionM will not terminate an API if a client is still utilizing it. All new integrations will of course use the new APIs.