mcho | Posts: 16

apiKey of subaccounts

0 votes

How can I pull the subaccount user's apikey using parent account's apikey? I have called api/senders/{accountid}/apiKey and it returns 403. The same method works for the main account however. In other words, I can pull apiKey from other senders using the owner's apiKey on the main level but couldn't do the same for the subaccount. I would appreciate any help that can be provided.


Duo_Liang | Posts: 3776

Reply to: apiKey of subaccounts

0 votes

Hi Mark,

 

Form my own experience with subaccount, I also found the same that if you invited a signer at the main account level (these signers can later be added roles at subaccount level with certain subaccount permissions), you can pull the API Key by the main account owner's. On the contrary, if you invite the signer at sub-account level, API Key retrieval API will hit 403 error due to a lack of permission.

In this regard, I would suggest you invite all signers at the main account level for better signer management purpose. (For those signers already invited at subaccount level, if you can't delete and reinvite them, you can contact the support team and have them merged to main account)

With this account structure, register a main account level client application, and use Client API Token to retrieve a temporary credential is a clean and SDK-friendly method to manage each signer's transaction.

 

Duo

Duo Liang OneSpan Evangelism and Partner Integrations Developer


sstickler1286 | Posts: 51

Reply to: apiKey of subaccounts

0 votes

Hi Duo;

The customer says that 90% of the users exist in the Master Account and it would be a lot of work to figure out the few that aren't. Do you know if OneSpan Support would be able to determine that?

Thanks!


Duo_Liang | Posts: 3776

Reply to:

0 votes

Hi Sam,

 

Support is able to determine which senders exists at subaccount level, and possible to merge them to the master account. 

But since subaccount is still an evolving feature that we are also learning internally, it's safer if you can test through the whole process on the 90% existing senders before we change anything to the account structure.

 

Duo

Duo Liang OneSpan Evangelism and Partner Integrations Developer


mcho | Posts: 16

Reply to: apiKey of subaccounts

0 votes

Duo,

I am still having a problem. Once I pull sub accounts, how do I pull senders that belong to the subaccount? And since subaccount users have different API key than those in the main account, how do I find the subaccount owner's api key using REST API call to retrieve API key of each user that belongs to the subaccount?


mcho | Posts: 16

Reply to: apiKey of subaccounts

0 votes

Five days have gone by with no response. That's disappointing.


Duo_Liang | Posts: 3776

Reply to: apiKey of subaccounts

1 votes

Hi Mark,

 

Sorry for the late reply. 

For the first half of the questions, API "GET ​/api​/account​/roles​/{accountRoleId}​/users" should be able to retrieves the list of user IDs assigned to a given role, for the subaccount where current API Key/Token is active in. However, I am seeing an error leveraging this API, therefore a Jira ticket has been raised to R&D team and I am waiting for updates.

On top of that, although it's not desired, this API may also help "GET /api/account/senders/{senderId}/account/{subaccountId}/roles", so total of #sender * #subaccounts APIs are required.

 

For the second half questions, it's true that a sender have different API Keys in different subaccounts. Using main account owner's API Key at L0 level could get any API Key for any sender at any subaccount level:

Step1: get a session based token out of main account's API Key at L0 level

Step2: switch session context and activate subaccount

Step3: get sender's API Key for that subaccount

 

A code snippet may explain this better:

            string baseURL = "https://sandbox.esignlive.com";
            string accountOwnerAPIKey = "xxxxx==";
            string senderId = "ceKw68567gsE";
            string subaccountId = "GZsXlSSd1eES";

           
            HttpClient myHttpClient = new HttpClient();
            HttpResponseMessage response;
            myHttpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Basic", accountOwnerAPIKey);
            myHttpClient.DefaultRequestHeaders.Add("Accept", "application/json");
            response = myHttpClient.PostAsync(new Uri(baseURL + "/api/authenticationTokens/user"),null).Result;
            string userToken = JObject.Parse(response.Content.ReadAsStringAsync().Result)["value"].ToString();
            response = myHttpClient.GetAsync(new Uri(baseURL + "/auth?authenticationToken=" + userToken)).Result;                
            string sessionToken = JObject.Parse(response.Content.ReadAsStringAsync().Result)["sessionToken"].ToString();

            HttpClient myHttpCookieClient = new HttpClient(new HttpClientHandler { UseCookies = false });
            myHttpCookieClient.DefaultRequestHeaders.Add("Accept", "application/json");
            myHttpCookieClient.DefaultRequestHeaders.Add("Cookie", "ESIGNLIVE_SESSION_ID=" + sessionToken);

            StringContent payload = new StringContent(subaccountId, System.Text.Encoding.UTF8, "application/json");
            response = myHttpCookieClient.PostAsync(new Uri(baseURL + "/api/session/activeAccount"), payload).Result;
            response = myHttpCookieClient.GetAsync(new Uri(baseURL + "/api/account/senders/" + senderId + "/apiKey")).Result;            
            string senderAPIKey = JObject.Parse(response.Content.ReadAsStringAsync().Result)["apiKey"].ToString();

            Debug.WriteLine("sender API Key: " + senderAPIKey);

 

Duo

 

Duo Liang OneSpan Evangelism and Partner Integrations Developer


Hello! Looks like you're enjoying the discussion, but haven't signed up for an account.

When you create an account, we remember exactly what you've read, so you always come right back where you left off