# Authentication

# Generation of the requestToken

Every call to the API must contain the following headers:

  • apiKey : <yourApiKey>
  • token: <EncodingAlgorithmIdentifier>-<encodedRequestToken>
  • currentTenant: <yourTenantId>
  • language: <isoCode of the requested language>

The requestToken is built by encoding the String

 <currentTimestamp>;<sessionToken>;<apiKey>

with the provided secret.

The timestamp must be formatted with the pattern yyyy-MM-dd'T'HH:mm:ss.SSSX

Possible encoding algorithms are:

  • 01 : AES_CBC_PKCS5
  • 02 : AES_ECB_PKCS5

When authenticated, the sessionToken is the one received from /v2/auth/signin. For non-logged in users replace <sessionToken> with anonymous.

The encoded bytes must be base64 encoded for sending. To prevent problems in URLs (if the token is sent as a query-param) you may replace ‘+’ with ‘-’ and ‘/’ with ‘_’.

An example of a correctly formatted token string:

2020-12-31T23:00:00.000Z;aSessionToken;aValidApiKey

An example of the above token encoded with the secret aSecretString:

02-C8yohjZU7KVbYYwGDZMD5a1sX0OSjDbYVPYltiWv8ULmEXeMm4BBnoh1VjO1sz1I3f2jNIKaumWowJBvA+B91Q==

# POST /v2/auth/signin

Accepts: application/json

Generates: application/json

Body:

{
    "identification": ",<emailaddress>",
    "passwordMD5": "<MD5HashOfPassword>",
    "password": "<passwordPlainText>"
}

The password may be provided as plain text or already md5 hashed. Rest assured, it will not be saved md5 hashed but strongly encrypted.

Response success (200 OK):

{
    "auth": {
        "token": "<sessionToken>",
        "userId": "<loggedInUserId>",
        "loginDate": "2018-06-25T07:27:16.456Z",
        "lastActionDate": "2018-06-25T07:27:16.456Z"
    }
}

Otherwise an according 4xx Response. f.e. 403 if the login failed.

# Sign-in flow

Signin Flow