Authentication
Introduction
Authentication is a crucial part of accessing the API as it ensures only authorized clients can access the data. Our API uses JSON Web Tokens (JWT) for authentication.
Obtaining JWT
Clients are provided with a clientName and clientSecret during onboarding. With these credentials, clients have two options to obtain a JWT:
-
Generate the JWT themselves using the HS256 algorithm.
-
Request a JWT from our token generation endpoint.
Requesting a JWT
To request a JWT, make a POST request to our token generation endpoint:
https://38en04sov6.execute-api.us-west-2.amazonaws.com/authtoken
Include a JSON body with the userInfo, clientName, and clientSecret:
{
"userInfo": {}, //leave empty
"clientName": "YOUR CLIENT NAME",
"clientSecret": "YOUR CLIENT SECRET"
}
The userInfo object can be left empty.
The API will respond with a JWT that can be used to make authorized requests to other API endpoints.
JWT Payload
The generated JWT will contain a payload similar to the following example:
{
"user": {}, //not used for API authorization
"exp": 1693237216,
"clientName": "fitty"
}
The exp field indicates the token’s expiration time in UNIX timestamp format. The token is valid for 4 hours from the time of issuance.
Using the JWT
Include the JWT in the header of all API requests as the authorization key:
Authorization: Bearer <Your-JWT>
Best Practices
- Do not share your
clientNameandclientSecretwith anyone. - Generate a new JWT for each session rather than reusing the same token.
- Store your JWT securely and do not expose it in client-side code.
Examples
Requesting a JWT
POST https://38en04sov6.execute-api.us-west-2.amazonaws.com/authtoken
{
"userInfo": {},
"clientName": "YOUR CLIENT NAME",
"clientSecret": "YOUR CLIENT SECRET"
}
Making an authorized request
GET /v1/{clientName}/sessions/{sessionId}
Headers:
Authorization: Bearer <Your-JWT>
Remember to replace <Your-JWT> with the actual JWT obtained from the token generation endpoint.
```