Users and Devices Authenticated Requests
Requests can be authenticated with user or device credentials (username/password). In order to create a user or a device belonging to a customer: A user or a device must be created using the SaveUser API or SaveDevice API action with a request signed by the customer's authentication key and authentication secret; a username and password will be used to create the user or device.
Signing a request with the customer's authentication key, and one of his/her users' username and password (a hash of the password) can be used to allow rich client applications to make requests to Apstrata database without giving out the customer's secret.
- Default Signature: Follow the steps in the Default Signature Type section, and set the parameter apsws.authKey to be the username of the created user or device. Then calculate the HMAC-SHA1 hash string using the MD5 hash of the created user’s or device's password.
- Token-based Authentication: Follow the steps in the Token-Based Authentication section about token-based authentication which is only allowed for users or devices.
- Simple Signature Type: Follow the steps in the Simple Signature Type section, and set the parameter apsws.authKey to be the username of the created user or device. Then use the MD5 hash of the created user’s or device's password when creating the signature.
- Bearer Token Authentication: Follow the steps in the Bearer Token Authentication section, and set the header Authorization of the request with the bearer token to https://<serviceName>/rest/<action>.
By using the user's or device's username and password:
ValueToHash = [timestampValue][username][action name] [Md5hashFunction(new user password)]
Requests signed using the authKey and the sharedSecret without a username are called "owner" requests where the owner is considered to be the database owner i.e., the Apstrata database customer who holds the shared secret.
ACL checking is skipped when the request is performed by owner.