We use HMAC authentication to authenticate inbound requests.
The authentication tokens are sent in form of JWT (JSON Web Tokens)
The client is responsible for generating and sending the authentication token. There are lot of libraries that can be used to simplify the creation of JWTs.
The token has to be sent in the Authorization header using the Bearer schema
Authorization: Bearer <JWT token>
First you have to get an API token from the chy.stat system. To get the API token details:
- login to a chy.stat application with admin rights
- go to section System settings ➡️ General ➡️ API
- open detail of existing or create a new API token
- copy the
Token IDandToken secret
Bevare! The Token secret is confidential. You should be careful when handling this information.
If you know that the Token secret was compromised you should immediately delete the API token and issue a new one.
Header is a standard JWT header where is defined the token type and an algorithm used to create its signature.
{
"alg": "HS256",
"typ": "JWT"
}Payload must contain these claims:
-
iat- Issued At. It's a UNIX time representing time when the token was created. It will be used for validating the token age. By default we reject tokens older than 10 minutes. -
sub- Subject. It should contain theToken IDreceived from chy.stat (see Getting the API token for the details)
{
"iat": 1504783221,
"sub": "VXFE78JLQ9OHrvAKKg5vSw"
}The token has to be signed by the Token secret (see Getting the API token for the details).
Only the HS256 algorithm is supported for signing the token.