RESTAPI:Client id based Verification: Unterschied zwischen den Versionen

Aktuelle Version vom 13. Juni 2024, 10:54 Uhr

With Client id based verification, any sender email address can be used for the services, without having to perform an email based verification process. For this, a client id has to be registered in the Cryptshare administration interface (step 0b). After registering, the REST API consumer can request Verification Tokens for arbitrary email addresses, using the registered client id. This verification token is only valid for the respective email address and the requesting client id. Please note: Using Client id based verification increases the risk of abuse, since anyone with access to the client id can use the services using any sender email address. It is therefore recommended that Client id based verification only be used if email based verification does not meet your requirements and the client id is not publicly available as in web application calls. Instead, only server-side applications or other applications where REST API calls are not easily visible via the browser's developer tools. Therefore, we recommend the client id based verification only for server applications or trusted environments. Data gained from the server application could be offered to the respective users when custom authentication mechanisms are used.

Preparation

Step A: Check availability for client id based verification

GET https://<your-url>/api/users/<email-address>/verification

You can determine which verification methods are available for a client id with the contents of the field verificationMethods. When the value clientId is contained, client id based verification can be used. If it is not contained, please register the client id in the Cryptshare Administration Interface, see the next section.

Step B: Register client id in Cryptshare administration interface

After the client id has been registered in the Cryptshare administration interface, check the availability for client id based verification again.

Step 1: Request verification token

POST https://<your-url>/api/users/<email-address>/verification/token

In order to request your verification token, send an empty JSON object { } in the request body and set the Content-Type header to application/json.

Using the verification token

Information how to use verification tokens can be found here.

Validity of the verification token

Please note: verification tokens have a limited validity and might need to be re-requested again at a later date. More information can be found here.

@@ Zeile 1: / Zeile 1: @@
-With '''Client id based verification''', any sender email address can be used for the services, without having to perform an email based verification process. For this, a '''client id''' has to be '''registered in the Cryptshare administration interface (step 0b)'''. After registering the REST API consumer can request a verification token for a specific email address (step 1). This verification token is only valid for the respective email address and the requesting client id. The same client id can request verification tokens for different email addresses that only work together as the email address and verification token pair. Please note: Using Client id based verification increases the risk of abuse, since anyone with access to the client id can use the services using any sender email address. It is therefore recommended that Client id based verification only be used if email based verification does not meet your requirements and the client id is not publicly available as in web application calls. Instead, only server-side applications or other applications where REST API calls are not easily visible via the browser's developer tools. Therefore, we recommend the client id based verification only for server applications or trusted environments. Data gained from the server application could be offered to the respective users when custom authentication mechanisms are used.
+With '''Client id based verification''', any sender email address can be used for the services, without having to perform an email based verification process. For this, a '''client id''' has to be '''registered in the Cryptshare administration interface (step 0b)'''. After registering, the REST API consumer can request Verification Tokens for arbitrary email addresses, using the registered client id. This verification token is only valid for the respective email address and the requesting client id. '''Please note''': Using Client id based verification increases the '''risk of abuse''', since anyone with access to the client id can use the services using any sender email address. It is therefore recommended that Client id based verification only be used if email based verification does not meet your requirements and the client id is not publicly available as in web application calls. Instead, only server-side applications or other applications where REST API calls are not easily visible via the browser's developer tools. Therefore, we recommend the client id based verification '''only for server applications or trusted environments'''. Data gained from the server application could be offered to the respective users when custom authentication mechanisms are used.
 == Preparation ==
@@ Zeile 15: / Zeile 15: @@
 In order to request your verification token, send an empty JSON object '''{ }''' in the request body and set the '''Content-Type header''' to '''application/json'''.
+== Using the verification token ==
+Information how to use verification tokens can be found [[{{NAMESPACE}}:About_Verifications#What_is_a_verified_email_address%3F_%2F_Using_the_Verification_Token|here]].
+== Validity of the verification token ==
+Please note: verification tokens have a limited validity and might need to be re-requested again at a later date. More information can be found [[{{NAMESPACE}}:Validity_of_Verifications|here]].