mikcanf | Posts: 71

4 Authentication end-points

0 votes

The documentation talks about ApiKeyAuth (being deprecated) and ApiTokenAuth (recommended replacement).

Apparently a "Client Id" + "Secret" is combined to create a "Token" but I don't know how this is done for API's below.

I am not clear on "single use" vs "multi-use".

I am not clear on "sender authentication" token vs "signer"

AUTHENTICATION TOKENs calls…

/api​/authenticationTokens​/user     Creates a new authentication token. Single-use, expires after 30min's (configurable)

 ​/api​/authenticationTokens​/sender     Creates a new sender authentication token.

 /api​/authenticationTokens​/signer​/multiUse    Creates a new multi-use signer authentication token.

/api​/authenticationTokens​/signer​/singleUse    Creates a new single use signer authentication token.

 

 


Duo_Liang | Posts: 3776

Reply to: 4 Authentication end-points

0 votes

Hi Mike,

 

Welcome to OneSpan Sign and thanks for the post!

For API Token, it's a replacement of API Key, which is used at the integrated system side to authenticate the API calls. For an example usage, check this blog "API Token for Client Application"

On the other side, the authentication token carries the user session information, which is used to authenticate links. For example:

(1)/api​/authenticationTokens​/user 

create a session token for the current API key/token holder. Building a link with this token could allow accessing current API key/token holder's sender portal, like below link:

https://sandbox.esignlive.com/auth?authenticationToken={userToken}&target=https://sandbox.esignlive.com/a/dashboard

(2) ​/api​/authenticationTokens​/sender 

create a session token for a particular sender. Mostly works together with designer page link:
https://sandbox.esignlive.com/auth?senderAuthenticationToken={senderToken}&target=https://sandbox.esignlive.com/a/transaction/{packageId}/designer

With this token, you can build a designer link with limited access where the end user can't view any other transaction pages. (because the package designer is not necessary to be the API key/token holder)

(3) /api​/authenticationTokens​/signer​/multiUse or /singleUse

create a session token for a signer of a package. This token allows you to build a signing link for signer to access the signing ceremony. You only leverage this token when you deliver the signing link yourself (versus delivering by the out-of-the-box activate email)

Multi/Single use means whether the link is still reusable after the first visit. For example, for a link containing single-use token, you can't use it to access the signing ceremony from a different device after the first device has used the link. 

 

Duo


Hello! Looks like you're enjoying the discussion, but haven't signed up for an account.

When you create an account, we remember exactly what you've read, so you always come right back where you left off