{"_id":"594a770ff59650001a51ea72","project":"54eb50e5615ffc1900305a16","version":{"_id":"54eb63b859b1172100334fae","project":"54eb50e5615ffc1900305a16","forked_from":"54eb63a1867e1917009b711d","__v":28,"createdAt":"2015-02-23T17:30:32.501Z","releaseDate":"2015-02-23T17:30:32.501Z","categories":["54eb63b959b1172100334faf","54eb63b959b1172100334fb0","54eb63b959b1172100334fb1","54eb63b959b1172100334fb2","54ed8dd4ab373e2300f50eae","54ed99b2ab373e2300f50ede","55153a6de68daa2f00cff838","551546edbc466623002afe72","5515472ac28d6125001b8884","55154749c28d6125001b8885","555d9b4106dfec0d00d38ea7","5613e06e433e5735007c7708","5624bbb785a31117001c5403","56669e857cc81e0d00253f8e","568b8d837a42220d00498311","56a632277ef6620d00e2f18a","56d8147c3eb4dd0b00201aac","57a9ce2fac6db30e000d7efd","57a9cf4e944ea60e00dc3f74","58172386715dce0f00da4aa0","582dc59ee1b8692300c0dd03","589b19b4fec2730f0082e040","58b04a023529383900a759b5","58b92d1598157a0f004869bf","592e7685c58275000f20174f","59392839e376d4002f8a0474","59393064e376d4002f8a05a1","5947ae0d4005e2000f3a4fec","594a74df1d1de5001ab3517a","5954bc387a147f001b918915","59b8eeeb707542001076d3b6"],"is_deprecated":false,"is_hidden":false,"is_beta":false,"is_stable":true,"codename":"","version_clean":"1.0.0","version":"1"},"category":{"_id":"594a74df1d1de5001ab3517a","project":"54eb50e5615ffc1900305a16","version":"54eb63b859b1172100334fae","__v":0,"sync":{"url":"","isSync":false},"reference":false,"createdAt":"2017-06-21T13:30:07.315Z","from_sync":false,"order":0,"slug":"new-getting-started","title":"Getting started"},"user":"54eb4fdedf7add210007b29b","__v":0,"parentDoc":null,"updates":[],"next":{"pages":[],"description":""},"createdAt":"2017-06-21T13:39:27.945Z","link_external":false,"link_url":"","githubsync":"","sync_unique":"","hidden":false,"api":{"results":{"codes":[]},"settings":"","auth":"required","params":[],"url":""},"isReference":false,"order":2,"body":"Security is one of the most important segments in API integration so we made sure to provide you with the set of tools which will help you to create secure applications.\n[block:api-header]\n{\n  \"title\": \"Authorization methods\"\n}\n[/block]\nMajority of requests to Infobip API require authentication.  That can be done by setting the [Authorization HTTP header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization). The Authorization header must include a type and the credentials themselves.\n\n```\nAuthorization: <type> <credentials>\n```\n[block:callout]\n{\n  \"type\": \"warning\",\n  \"title\": \"Important\",\n  \"body\": \"It is strongly advisable to use HTTPS protocol for all API requests that contain Authorization header in order to keep the submitted credentials secret.\"\n}\n[/block]\nThere are three different authorization types supported by the Infobip API. While not all API methods support all 3 types, they can be presumed to do so unless specifically stated otherwise on their documentation pages.\n\n| type | credentials format | notes |\n| --- | --- |\n| App | Infobip generated API key | recommended authorization method |\n| Basic | Base64 encoded username and password combination | not recommended because password is included with every request |\n| IBSSO | Infobip generated single sign-on token | useful for accessing API in a time limited session |\n\n##API key authorization\n\nThis is the most secure authorization type and the one with the most flexibility. \n\nAPI keys can be generated by calling dedicated API method. Further more, API keys can be of limited scope and cover only some API methods. Lastly, they can be revoked at any time. This range of possibilities makes API keys well suited for separating the API access rights across multiple applications or use-cases. Finally, the loss of an API key is easily manageable.\n\nYou can find out more about API key creation and management on a  [dedicated documentation page](https://dev.infobip.com/docs/api-key).\n\nAPI key Authorization header example:\n\n```\nAuthorization: App 003026bbc133714df1834b8638bb496e-8f4b3d9a-e931-478d-a994-28a725159ab9\n```\n\n##Basic authorization\n\nBasic authorization type can be used in situations when API key is not available. For example API methods for generating API keys should be authenticated with the Basic type.\n\nIn this case the credentials included in the Authorization header should be [Base64 encoded](https://en.wikipedia.org/wiki/Base64) username and password combination. More formally, basic authentication header can be constructed in three steps:\n1. Username and password are concatenated using the colon (``:``) as a separator ``username:password``.\n2. The resulting string is encoded using the [RFC2045-MIME](https://www.ietf.org/rfc/rfc2045.txt) variant of Base64.\n3. Encoded string is added as credentials after the ``\"Basic \"`` type.\n\nExample:\n\n```\nUsername: \"Aladdin\"\nPassword: \"openSesame\"\n\nConcatenated string: \"Aladdin:openSesame\"\n\nBase64 encoded string: \"QWxhZGRpbjpvcGVuIHNlc2FtZQ==\"\n\nAuthorization header: \"Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==\"\n```\n[block:callout]\n{\n  \"type\": \"info\",\n  \"title\": \"Implementation\",\n  \"body\": \"Base64 encoding is a standard and many available programming languages and frameworks provide convenience methods for encoding strings.\"\n}\n[/block]\nHere are a few examples of generating the Basic Authorization header in several programming languages:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"<?php\\n$username = 'Aladdin';\\n$password = 'openSesame';\\n\\n$header = \\\"Basic \\\" . base64_encode($username . \\\":\\\" . $password);\\n?>\",\n      \"language\": \"php\",\n      \"name\": null\n    },\n    {\n      \"code\": \"require \\\"base64\\\"\\n\\nusername = \\\"Aladdin\\\"\\npassword = \\\"openSesame\\\"\\n\\nheader = \\\"Base #{Base64.encode64(\\\"#{username}:#{password}\\\")}\\\"\",\n      \"language\": \"ruby\"\n    },\n    {\n      \"code\": \"import base64\\n\\nusername = 'Aladdin'\\npassword = 'openSesame'\\n\\nheader = 'Base ' + base64.b64encode(username + ':' + password)\",\n      \"language\": \"python\"\n    },\n    {\n      \"code\": \"import java.util.Base64;\\n\\nString username = \\\"Aladdin\\\";\\nString password = \\\"openSesame\\\";\\n\\nString concatenated = username + \\\":\\\" + password;\\nString header = \\\"Base \\\" + Base64.getEncoder().encodeToString(concatenated.getBytes());\",\n      \"language\": \"java\",\n      \"name\": \"Java 8\"\n    },\n    {\n      \"code\": \"string username = \\\"Aladdin\\\";\\nstring password = \\\"openSesame\\\";\\n\\nbyte[] concatenated = System.Text.ASCIIEncoding.ASCII.GetBytes(username + \\\":\\\" + password);\\nstring header = System.Convert.ToBase64String(concatenated);\",\n      \"language\": \"csharp\"\n    },\n    {\n      \"code\": \"var username = \\\"Aladdin\\\";\\nvar password = \\\"openSesame\\\";\\n\\nvar header = \\\"Basic \\\" + window.btoa(username + \\\":\\\" + password);\",\n      \"language\": \"javascript\"\n    }\n  ]\n}\n[/block]\n##Token authorization\n\nThis authorization type is suited for the situations in which you do not want to store Infobip credentials in your own app. Instead, your users will input their Infobip credentials every time they access your application and the application will use those credentials to create a session. The session token can henceforth be used to authenticate subsequent API requests. Note that the session will expire automatically after predefined period of inactivity, and can also be manually terminated by making the appropriate API call.\n\nYou can find more details on the creation and behavior of the session on a [dedicated documentation page](https://dev.infobip.com/docs/session-login).\n\nAfter obtaining the session token by calling the above referenced API method you can include it in Authorization header like so:\n\n```\nAuthorization: IBSSO 2f9b4d31-2d0d-49a8-85f0-9b862bdca394\n```","excerpt":"Learn how to properly secure API communication.","slug":"security-and-authorization","type":"basic","title":"Security and authorization"}

Security and authorization

Learn how to properly secure API communication.

Security is one of the most important segments in API integration so we made sure to provide you with the set of tools which will help you to create secure applications. [block:api-header] { "title": "Authorization methods" } [/block] Majority of requests to Infobip API require authentication. That can be done by setting the [Authorization HTTP header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Authorization). The Authorization header must include a type and the credentials themselves. ``` Authorization: <type> <credentials> ``` [block:callout] { "type": "warning", "title": "Important", "body": "It is strongly advisable to use HTTPS protocol for all API requests that contain Authorization header in order to keep the submitted credentials secret." } [/block] There are three different authorization types supported by the Infobip API. While not all API methods support all 3 types, they can be presumed to do so unless specifically stated otherwise on their documentation pages. | type | credentials format | notes | | --- | --- | | App | Infobip generated API key | recommended authorization method | | Basic | Base64 encoded username and password combination | not recommended because password is included with every request | | IBSSO | Infobip generated single sign-on token | useful for accessing API in a time limited session | ##API key authorization This is the most secure authorization type and the one with the most flexibility. API keys can be generated by calling dedicated API method. Further more, API keys can be of limited scope and cover only some API methods. Lastly, they can be revoked at any time. This range of possibilities makes API keys well suited for separating the API access rights across multiple applications or use-cases. Finally, the loss of an API key is easily manageable. You can find out more about API key creation and management on a [dedicated documentation page](https://dev.infobip.com/docs/api-key). API key Authorization header example: ``` Authorization: App 003026bbc133714df1834b8638bb496e-8f4b3d9a-e931-478d-a994-28a725159ab9 ``` ##Basic authorization Basic authorization type can be used in situations when API key is not available. For example API methods for generating API keys should be authenticated with the Basic type. In this case the credentials included in the Authorization header should be [Base64 encoded](https://en.wikipedia.org/wiki/Base64) username and password combination. More formally, basic authentication header can be constructed in three steps: 1. Username and password are concatenated using the colon (``:``) as a separator ``username:password``. 2. The resulting string is encoded using the [RFC2045-MIME](https://www.ietf.org/rfc/rfc2045.txt) variant of Base64. 3. Encoded string is added as credentials after the ``"Basic "`` type. Example: ``` Username: "Aladdin" Password: "openSesame" Concatenated string: "Aladdin:openSesame" Base64 encoded string: "QWxhZGRpbjpvcGVuIHNlc2FtZQ==" Authorization header: "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==" ``` [block:callout] { "type": "info", "title": "Implementation", "body": "Base64 encoding is a standard and many available programming languages and frameworks provide convenience methods for encoding strings." } [/block] Here are a few examples of generating the Basic Authorization header in several programming languages: [block:code] { "codes": [ { "code": "<?php\n$username = 'Aladdin';\n$password = 'openSesame';\n\n$header = \"Basic \" . base64_encode($username . \":\" . $password);\n?>", "language": "php", "name": null }, { "code": "require \"base64\"\n\nusername = \"Aladdin\"\npassword = \"openSesame\"\n\nheader = \"Base #{Base64.encode64(\"#{username}:#{password}\")}\"", "language": "ruby" }, { "code": "import base64\n\nusername = 'Aladdin'\npassword = 'openSesame'\n\nheader = 'Base ' + base64.b64encode(username + ':' + password)", "language": "python" }, { "code": "import java.util.Base64;\n\nString username = \"Aladdin\";\nString password = \"openSesame\";\n\nString concatenated = username + \":\" + password;\nString header = \"Base \" + Base64.getEncoder().encodeToString(concatenated.getBytes());", "language": "java", "name": "Java 8" }, { "code": "string username = \"Aladdin\";\nstring password = \"openSesame\";\n\nbyte[] concatenated = System.Text.ASCIIEncoding.ASCII.GetBytes(username + \":\" + password);\nstring header = System.Convert.ToBase64String(concatenated);", "language": "csharp" }, { "code": "var username = \"Aladdin\";\nvar password = \"openSesame\";\n\nvar header = \"Basic \" + window.btoa(username + \":\" + password);", "language": "javascript" } ] } [/block] ##Token authorization This authorization type is suited for the situations in which you do not want to store Infobip credentials in your own app. Instead, your users will input their Infobip credentials every time they access your application and the application will use those credentials to create a session. The session token can henceforth be used to authenticate subsequent API requests. Note that the session will expire automatically after predefined period of inactivity, and can also be manually terminated by making the appropriate API call. You can find more details on the creation and behavior of the session on a [dedicated documentation page](https://dev.infobip.com/docs/session-login). After obtaining the session token by calling the above referenced API method you can include it in Authorization header like so: ``` Authorization: IBSSO 2f9b4d31-2d0d-49a8-85f0-9b862bdca394 ```