peterzog | Posts: 109

APEX SDK Authentication

Friday, December 3, 2021 at 11:06am
0 votes

I have a few questions about the authentication pattern for the APEX SDK. I think I know the answers but I'd like confirmation:

  • What is the life time of an API key?
  • Is the API key generated only for the APEX SDK use, i.e. not shared by any other application?
  • Is this a one-way or mutual TLS between OneSpan and Salesforce?
peterzog | Posts: 109

Reply to: APEX SDK Authentication

Friday, December 3, 2021 at 11:30am
0 votes

Or a better question is do you have documentation on how authentication works for the APEX SDK? 

Duo_Liang | Posts: 3776

Reply to: APEX SDK Authentication

Friday, December 3, 2021 at 12:26pm
0 votes

Hi Peter,

 

For your questions:

  • What is the life time of an API key?
  • Is the API key generated only for the APEX SDK use, i.e. not shared by any other application?

API Key won't expire in OneSpan Sign, and unfortunately it can be used to authenticate any integration other than APEX SDK. A more secured mechanism is to use API Token instead of API Key so that you can rotate the client ID and Secret on schedule. But APEX SDK doesn't support API Token by default (it's a new feature introduced after the latest SDK update), you may have to adjust the source code a little bit and retrieve an access token via this call:

POST /apitoken/clientApp/accessToken

{ "clientId": " your_client_id ", "secret": " your_client_secret ", "type": "SENDER", "email": "sender_email" }

 

  • Is this a one-way or mutual TLS between OneSpan and Salesforce?

Without further configuration, I believe it's an one-way SSL that your APEX callout can only reach sites configured in remote site settings.

 

Duo

Hello! Looks like you're enjoying the discussion, but haven't signed up for an account.

When you create an account, we remember exactly what you've read, so you always come right back where you left off

LoginSign Up