Как устроена платформа

Authorization service: authorization variants

The authorization service supports two variants of authorization for access to the API methods:

  • api-key string hash authorization;

  • JWT token authorization.

Depending on a used authorization method, different values are put in queries or in the fields of the Swagger framework for providing access to the API:

  • ApiKey or PrivacyApiKey (apiKey) - a value of the api-key string hash;

  • OAuth2 Bearer (apiKey) - a value of the access token.

Api-key string hash authorization

A hash of a string defined by a user can be calculated with the use of the ApiKeyHash utility from the generator package. You can also generate a key string hash by yourself with the use of the POST /utils/hash/secure method.

Example of a query with the ``api-key`` hash authorization:

curl -X POST
--header 'Content-Type: application/json'
--header 'Accept: application/json'
--header 'X-API-Key: 1' -d '1' 'http://2.testnet-pos.com:6862/transactions/calculateFee'

JWT token authorization

If the oAuth protocol authorization is used, a client receives a refresh and an access tokens for access to the API methods. These tokens can be obtained with the use of the authorization service REST API methods.

The method POST ​/v1​/user is used for registration of users. The method query contains following parameters:

  • login - user login (e-mail address);

  • password - an account password;

  • locale - language of further e-mail notifications (possible variants: en и ru);

  • source - user type: * license - an owner of a blockchain platform license; * voting - a user of the Waves Enterprise Voting service.

After registration, a user has an opportunity to request access and refresh tokens.

Following methods are used for obtaining and refreshing of authorization tokens:

  1. POST ​/v1​/auth​/login - obtaining of an authorization token with the use of a login and password. This method is used for authorization of users.

  2. POST ​/v1​/auth​/token - obtaining of refresh and access authorization tokens for services and applications. This method does not require any parameters in its query and returns values of the tokens in response. It can be used only by an administrator of the authorization service.

  3. POST ​/v1​/auth​/refresh - updating of a refresh token. A token value is passed in the method query.

See also