# Authentication

# Generation of the requestToken

Every call to the API must contain the following headers:

  • apiKey : <yourApiKey>
  • token: <EncodingAlgorithmIdentifier>-<encodedRequestToken>
  • currentTenant: <yourTenantId>
  • language: <isoCode of the requested language>

The requestToken is built by encoding the String


with the provided secret.

The timestamp must be formatted with the pattern yyyy-MM-dd'T'HH:mm:ss.SSSX

Possible encoding algorithms are:

  • 01 : AES_CBC_PKCS5
  • 02 : AES_ECB_PKCS5

When authenticated, the sessionToken is the one received from /v2/auth/signin. For non-logged in users replace <sessionToken> with anonymous.

The encoded bytes must be base64 encoded for sending. To prevent problems in URLs (if the token is sent as a query-param) you may replace ‘+’ with ‘-’ and ‘/’ with ‘_’.

An example of a correctly formatted token string:


An example of the above token encoded with the secret a-Secr3t_Str1ng!:


# POST /v2/auth/signin

Accepts: application/json

Generates: application/json


    "identification": ",<emailaddress>",
    "passwordMD5": "<MD5HashOfPassword>",
    "password": "<passwordPlainText>"

The password may be provided as plain text or already md5 hashed. Rest assured, it will not be saved md5 hashed but strongly encrypted.

Response success (200 OK):

    "auth": {
        "token": "<sessionToken>",
        "userId": "<loggedInUserId>",
        "loginDate": "2018-06-25T07:27:16.456Z",
        "lastActionDate": "2018-06-25T07:27:16.456Z"

Otherwise an according 4xx Response. f.e. 403 if the login failed.

# Sign-in flow

Signin Flow