Some Luminate Online APIs provide separate Client and Server versions, and some API methods are available using Client or only Server access.

Luminate Online Server APIs allow trusted third-party web servers to proxy requests from pages hosted on their site to the Luminate Online web server:

• Web page from site A makes an AJAX call to a service on site A using an XMLHttpRequest. Since this is within the same origin, the browser's security policies allow it.
• The service on site A acts as a proxy and forwards the call to a Luminate Online Server API, which then responds.
• The service on site A then replies to the browser with the response it got from the Luminate Online Server API.

Server APIs generally act with administrator level privileges, whereas Client APIs generally act with the privileges of an individual logged-in user or as the "anybody" (i.e. not logged-in) user.

Server APIs require API Administrator credentials, passed as login_user and login_password on each request (see API Administrator). They also enforce IP address restrictions to verify that the request is coming from a trusted origin. Client APIs may operate in the context of an anonymous user or as a logged-in constituent, depending upon whether information they modify or return would be visible to the general public. Client APIs can operate in the context of a specific end user to read or modify personal information only if a valid sso_auth_token authentication token is passed in the request.

Luminate Online Server APIs are fairly easy to implement, and can be implemented using any server-side programming language. Some frameworks (like Google pages or IGoogle) have server-side proxy features built into their JavaScript libraries.

On the other hand, using Luminate Online Server APIs requires server-side programming, which may not be possible in some environments. They do not establish a connection between the user's browser and Luminate Online, so it can be difficult to create a seamless experience if the user can also navigate to the Luminate Online site directly. Data has to pass through both systems creating potential security exposures. This approach cannot be used for systems that must meet PCI Data Security Standards.

For this reason, we do not support for Server APIs where users' sensitive information (e.g. passwords or credit card numbers) might pass from the browser to the third-party server and then on to the Luminate Online server, such as for example the Donation API.