Last modified: 2024-06-21

Managing API Access and Authentication Settings

This section discusses the following authentication methods that are available for use:

To use these authentication settings one of the following account features must be enabled:

  • Integration - API Key

  • Integration - API Token

If these features have not been enabled for you, contact our Support Team.

Authentication Settings

The Authentication Access page allows you to define the authentication method to be used when using REST API calls to connect to OneSpan Sign.

To choose your authentication method:

  1. Select your preferred authentication method.

    • API KEY and/or Client App credentials

    • OAuth 2.0 Client Credentials

  2. Click Save.

  3. Using the panel on the left, navigate to the configuration page for the authentication method you selected.

  4. Use the following sections to continue configuring your authentication method. You can also use these pages to update or delete an existing authentication method.

The authentication method used when making the API calls is determined by the authentication method that you select. This means that if OAuth 2.0 Client Credentials is selected, you will not be allowed to make any API calls using the API Key or API Token, and vice versa.

API Key and Client Apps

For more information on how to use API Tokens, see our blog post on this topic.

To access the API Key and Client Apps page:

  1. Click Admin > API Access.
  2. In the Authentication Settings page, use the left panel to select API Key and Client Apps.

API Keys

While API keys can be used with OneSpan Sign, we recommend that you use Client Apps instead. Clients Apps are more flexible and help reduce the number of potential security vulnerabilities.

Client apps provide the following benefits over API Keys:

  • With Client Apps access can be created, rotated, or revoked as needed. API Keys are fixed, and thus if you want to make any access changes you will need to contact our Support Team.

  • Multiple Client Apps can be used if you have multiple integrations configured. This helps to limit the scope of any fraudulent attack on your system. Conversely, only one API Key is provided for all integrations.

  • Client Apps use temporary tokens to allow API access, which are only available for a brief period of time. API Keys do not expire, and thus any breach will require you to contact our Support Team.

The API key may not be visible, depending on your environment and your account privileges. Only an account owner can view an API key.

To view your API key

  • In the API Key section of the API Key and Client Appspage, click the View icon.

By default, your API key is masked.

Client Apps

Before integrators can make requests via REST APIs or SDK functions, OneSpan Sign requires that users either register a Client Apps, or provide a secure API Key to authenticate the API calls. OneSpan recommends that you use Client Apps.

To register a Client App

You can authenticate REST API calls from within a user's system by providing the user with a secure but short-lived (e.g., 30-minute) API Token that can be used for authentication. This feature is called Client Apps. To enable it, you must contact our Support Team. Once this feature is enabled, third-party integrators will be able to connect to the OneSpan Sign API using these API Tokens.

This feature is not supported for OneSpan Sign connectors.

To create a Client App

  1. Click Admin > API Access.
  2. In the Authentication Settings page, use the left panel to select API Key and Client Apps.
  3. Click Add. A Create Client App sidebar appears.
  4. Enter a Name for the Client App.
  5. Click Create.
  6. Copy the Client ID and Secret codes that appear.
  7. Store the Client ID and Secret codes in a secure location.
  8. Click Done.

The Secret will no longer appear once you click Done. For your records. please copy this Secret to a secure location. Both the Client ID and Secret are used to retrieve the temporary API Token.

Data Loss Prevention (DLP)

Client Apps can be configured to work with Data Loss Prevention (DLP) software. If you are using DLP software in your environment, and you would like to configure your software to monitor the Client ID and Client Secret, contact our Support Team.

OAuth 2.0

OAuth 2.0 is the industry standard protocol for online authorization. OneSpan Sign now supports OAuth 2.0 protocol focusing on consented access, using Grant type client credentials (only).

OAuth 2.0 Scope capabilities, which allow you to restrict the actions that a client application can perform on resources on behalf of the user, will be available in a future release.

While it is possible to define OAuth 2.0 clients and secrets at any time, these will not become available until you select OAuth 2.0 Client Credentials on the Authentication Access page.

OAuth 2.0 tokens by default expire after five minutes.

To add or configure OAuth 2.0 authentication:

  1. Click Admin > API Access.
  2. In the Authentication Settings page, use the left panel to select OAuth 2.0.
  3. Copy the Authentication Server URL that is displayed. This will needed for your integration settings. The Authentication Server URL is visible at all times.

    The Authorization Server URL is provided by OneSpan Sign and cannot be modified.

  4. Click Add. A Create OAuth 2.0 Client dialog appears.
  5. Enter a Name for the OAuth 2.0 Client.
  6. Click Create.
  7. Copy the Client Secret codes that appear.
  8. Store the Client Secret codes in a secure location.
  9. Close the dialog.

The Client Secret will no longer appear once you close this dialog. For your records. please copy this Client Secret to a secure location. If you lose this Client Secret you will need to regenerate a new one. To do this, select your OAuth 2.0 client and click Get new credentials from the actions menu to the right of the client.

OAuth 2.0 Use Cases

When using OAuth 2.0, note the following:

  • When Roles and Permissions is disabled on an account, the API Access page will be visible only to the account owner.
  • When Roles and Permissions is enabled on an account, the API Access page will be visible to any user having any role with the API Access permission enabled.
Was this information helpful?