Authentication and Authorization

There are two separate ways of accessing the API: Either by creating a session through some kind of login mechanism or by using a pre-shared API Key. A user, regardless of authorization method, may have access to all or just some specific endpoints. What a certain endpoint returns may to some extend depend on granted privileges.

Session

For session-based access, the client has to obtain a session key by using one of the SSO endpoints or the /login endpoint. If successful, any of these methods will return a session token that must be submitted in in an Authorization header in all subsequent requests:

Authorization: Token <received_token>

where <received token> is replaced by the received token. The token is a JSON Web Token which could be unpacked.

Pre-shared API Key

The API Key must be supplied in an Authorization header on every request, preferably combined with IP authentication. Please provide T-rank the relevant IP addresses or CIDR blocks if IP based authentication should be used. T-rank will provide clients with an API Key.

Authorization: ApiKey <client-key>

where <client-key> is replaced by the received key.