Most of the services offered by the Cryptshare Server require a form of verification, before they can be used. The Cryptshare Server supports two types of verification: Email based verification and Client id based verification.
- Using the email based verification, a verification has to be performed for each sender email address. This makes sure that the sender address that is being used for a transfer through the REST API is valid and authorized for use by its owner. That's important, because the Cryptshare Policy set up on the server grants usage permissions and settings based on the email addresses used for a transfer. To verify a specific sender email address, you need to send a verification request for that email address to the Cryptshare Server. The Cryptshare Server will then send a verification email containing a verification code to the specified sender email address. This verification code will then need to be sent to the Cryptshare server via the REST API to prove that the request was authorized by the email address owner. When the verification code is correct, a verification token is assigned to the REST API consumer that now can be used for the different services. This verification token is only valid for the respective email address and client id. We recommend the email based verification approach for all purposes where users want to perform actions for themselves and have access to their own email inbox, especially for web applications.
- With Client id based verification, any sender email address can be used for the services, without having to perform an email based verification process. For this, a client id has to be registered in the Cryptshare administration interface. After registering the REST API consumer can request a verification token for a specific email address. This verification token is only valid for the respective email address and the requesting client id. The same client id can request verification tokens for different email addresses that only work together as the email address and verification token pair. Please note: Using Client id based verification increases the risk of abuse, since anyone with access to the client id can use the services using any sender email address. It is therefore recommended that Client id based verification only be used if email based verification does not meet your requirements and the client id is not publicly available as in web application calls. Instead, only server-side applications or other applications where REST API calls are not easily visible via the browser's developer tools. Therefore, we recommend the client id based verification only for server applications or trusted environments. Data gained from the server application could be offered to the respective users when custom authentication mechanisms are used.
Check availability for verification modes
GET https://<your-url>/api/users/<email-address>/verification
You can determine which verification methods are available for a client id with the contents of the field verificationMethods. When the value email is contained, email based verification is available. When the value clientId is contained, client id based verification can be used.
Verification workflows in comparison
| Client id based verification | Email based verification | |
|---|---|---|
| Use client id that is registered in the Server Backend | Create a new client id | |
| ↓ | ↓ | |
| Request verification code to user by email | ||
| ↓ | ||
| Create a verification token with the client id | Exchange verification code for a verification token | |