# Authentication

# Generation of the requestToken

Every call to the API must contain the following headers: apiKey : token: - currentTenant: language:

The requestToken is built by encoding the String

 <currentTimestamp>;<sessionToken>;<apiKey>

with the secret provided.

The timestamp must be formatted with the pattern yyyy-MM-dd'T'HH:mm:ss.SSSX

Possible encoding algorithms are: 01 : AES_CBC_PKCS5 02 : AES_ECB_PKCS5

When authenticated, the sessionToken is the one received from /v2/auth/signin. For non-logged in users replace “” with “anonymous”.

The encoded bytes must be base64 encoded for sending. To prevent problems in URLs (if the token is sent as a query-param) you may replace ‘+’ with ‘-’ and ‘/’ with ‘_’.

# POST /v2/auth/signin

Accepts: application/json

Generates: application/json

Body:

{
    "identification": ",<emailaddress>",
    "passwordMD5": "<MD5HashOfPassword>",
    "password": "<passwordPlainText>"
}

The password may be provided as plain text or already md5 hashed. Rest assured, it will not be saved md5 hashed but strongly encrypted.

Response success (200 OK):

{
    "auth": {
        "token": "<sessionToken>",
        "userId": "<loggedInUserId>",
        "loginDate": "2018-06-25T07:27:16.456Z",
        "lastActionDate": "2018-06-25T07:27:16.456Z"
    }
}

Otherwise an according 4xx Response. f.e. 403 if the login failed.

# Sign-in flow

Signin Flow