REST API Authentication Strategy
This document is a guide for using Infinite Networks REST API method calls using our proprietory authentication and access control mechanism.
Prerequisites
- API calls made to Infinite Networks services require an API Key and corresponding Secret Key. The keys are obtained from your the API Keys tab of your Account dashboard. The Secret Key is never transmitted with the REST API method call, but instead is used to generate a signed request signature. The API Key is a required parameter and is always transmitted which each REST API call.
- REST API method calls which perform actions with an Infinite Networks identified user require the infinite_uuid parameter. The UUID parameter is returned when creating an Infinite Networks identified user via the id.create API method call.
Making a REST API method call
Overview
http://[namespace].[data-center].infinitenetworks.com/api/v1/[api_method]/?api_key=[api_key]&ts=[timestamp]&nonce=[nonce]&sig=[signature]
Where:
- [namespace] is:
- identity - for the Infinite Identity API
- [data-center] is:
- dc - for the main Infinite Networks data center
- [api_method] is the name of the REST API method call
- [api_key] is your API application key obtained from your Account dashboard
- [ts] is the current GMT unix timestamp as an integer number of seconds since the Epoch, January 1, 1970 00:00 UTC - requests that vary more than 90 seconds from the server time will be rejected
- [nonce] is a Cryptographic nonce that you generate uniquely for each REST API request
- [signature] is a SHA256 hash signature that verifies the authenticity of your request
Signing the Request
Protecting and securing your data, and the privacy of your users data is of the utmost importance to Infinite Networks. Infinite Networks requires that every request is signed with a cryptographic signature to guarentee that the request originated from an authorized party and was not tampered with while in transit to our data-centers.
The Signing Flow
- Generate a timestamp and nonce to be used for the request
- Build the signature base string and use your Infinite Networks Secret Key to generate the signature
- Build the REST API method URI and submit the API method call to Infinite Networks servers
- Infinite Networks verifies the timestamp parameter was generated within 90 seconds of the current UTC time. If the timestamp is stale the call is rejected.
- Infinite Networks verifies the signature by re-creating the signature base string then performing the same calculation to generate a signature using your Secret Key and comparing the result with the signature passed as a parameter.