4 Authentication end-points

Hi Mike,

 

Welcome to OneSpan Sign and thanks for the post!

For API Token, it's a replacement of API Key, which is used at the integrated system side to authenticate the API calls. For an example usage, check this blog "API Token for Client Application"

On the other side, the authentication token carries the user session information, which is used to authenticate links. For example:

(1)/api​/authenticationTokens​/user 

create a session token for the current API key/token holder. Building a link with this token could allow accessing current API key/token holder's sender portal, like below link:

https://sandbox.esignlive.com/auth?authenticationToken={userToken}&target=https://sandbox.esignlive.com/a/dashboard

(2) ​/api​/authenticationTokens​/sender 

create a session token for a particular sender. Mostly works together with designer page link:
https://sandbox.esignlive.com/auth?senderAuthenticationToken={senderToken}&target=https://sandbox.esignlive.com/a/transaction/{packageId}/designer

With this token, you can build a designer link with limited access where the end user can't view any other transaction pages. (because the package designer is not necessary to be the API key/token holder)

(3) /api​/authenticationTokens​/signer​/multiUse or /singleUse

create a session token for a signer of a package. This token allows you to build a signing link for signer to access the signing ceremony. You only leverage this token when you deliver the signing link yourself (versus delivering by the out-of-the-box activate email)

Multi/Single use means whether the link is still reusable after the first visit. For example, for a link containing single-use token, you can't use it to access the signing ceremony from a different device after the first device has used the link. 

 

Duo