Requests can be authenticated with user or device credentials (username/password). In order to create a user or a device belonging to a customer: A user or a device must be created using the SaveUser API or SaveDevice API action with a request signed by the customer's authentication key and authentication secret; a username and password will be used to create the user or device.
Signing a request with the customer's authentication key, and one of his/her users' username and password (a hash of the password) can be used to allow rich client applications to make requests to Apstrata database without giving out the customer's secret.
By using the user's or device's username and password:
ValueToHash = [timestampValue][username][action name] [Md5hashFunction(new user password)]
Requests signed using the authKey and the sharedSecret without a username are called "owner" requests where the owner is considered to be the database owner i.e., the Apstrata database customer who holds the shared secret.
ACL checking is skipped when the request is performed by owner.