RESTAPI:Client id based Verification: Unterschied zwischen den Versionen

Version vom 16. August 2023, 15:29 Uhr

With Client id based verification, any sender email address can be used for the services, without having to perform an email based verification process. For this, a client id has to be registered in the Cryptshare administration interface (step 0b). After registering the REST API consumer can request a verification token for a specific email address (step 1). This verification token is only valid for the respective email address and the requesting client id. The same client id can request verification tokens for different email addresses that only work together as the email address and verification token pair. Please note: Using Client id based verification increases the risk of abuse, since anyone with access to the client id can use the services using any sender email address. It is therefore recommended that Client id based verification only be used if email based verification does not meet your requirements and the client id is not publicly available as in web application calls. Instead, only server-side applications or other applications where REST API calls are not easily visible via the browser's developer tools. Therefore, we recommend the client id based verification only for server applications or trusted environments. Data gained from the server application could be offered to the respective users when custom authentication mechanisms are used.

Preparation

Step A: Check availability for client id based verification

GET https://<your-url>/api/users/<email-address>/verification

You can determine which verification methods are available for a client id with the contents of the field verificationMethods. When the value clientId is contained, client id based verification can be used. If it is not contained, please register the client id in the Cryptshare Administration Interface, see the next section.

Step B: Register client id in Cryptshare administration interface

After the client id has been registered in the Cryptshare administration interface, check the availability for client id based verification again.

Step 1: Request verification token

POST https://<your-url>/api/users/<email-address>/verification/token with empty body

@@ Zeile 1: / Zeile 1: @@
 With '''Client id based verification''', any sender email address can be used for the services, without having to perform an email based verification process. For this, a '''client id''' has to be '''registered in the Cryptshare administration interface (step 0b)'''. After registering the REST API consumer can request a verification token for a specific email address (step 1). This verification token is only valid for the respective email address and the requesting client id. The same client id can request verification tokens for different email addresses that only work together as the email address and verification token pair. Please note: Using Client id based verification increases the risk of abuse, since anyone with access to the client id can use the services using any sender email address. It is therefore recommended that Client id based verification only be used if email based verification does not meet your requirements and the client id is not publicly available as in web application calls. Instead, only server-side applications or other applications where REST API calls are not easily visible via the browser's developer tools. Therefore, we recommend the client id based verification only for server applications or trusted environments. Data gained from the server application could be offered to the respective users when custom authentication mechanisms are used.
-==Step 0a: Check availability for client id based verification==
+== Preparation ==
+=== Step A: Check availability for client id based verification ===
 GET https://<your-url>/api/users/<email-address>/verification
 You can determine which verification methods are available for a client id with the contents of the field '''verificationMethods'''. When the value '''clientId''' is contained, client id based verification can be used. If it is not contained, please register the client id in the Cryptshare Administration Interface, see the next section.
-== Step 0b: Register client id in Cryptshare administration interface ==
+=== Step B: Register client id in Cryptshare administration interface ===
 [[Datei:Rest api client id.png|ohne|mini|300x300px]]After the client id has been registered in the Cryptshare administration interface, check the availability for client id based verification again.
 ==Step 1: Request verification token==
 POST https://<your-url>/api/users/<email-address>/verification/token with empty body