The majority of requests to Enet's API require authentication. That can be done by setting the Authorization HTTP header. The Authorization header must include a type and the credentials themselves.
Authorization: <type> <credentials>
NOTE
It is strongly advised to use HTTPS protocol for all API requests that contain Authorization header in order to keep the submitted credentials secret.
There are three different authorization types supported by the Enet API. While not all API methods support all 3 types, they can be presumed to do so unless specifically stated otherwise on their documentation pages.
| type | credentials format | notes |
|---|---|---|
| App | Enet generated API key | Recommended authorization method. |
| Basic | Base64 encoded username and password combination | Not recommended because the password is included in every request. |
| IBSSO | Generated single sign-on token | Useful for accessing API in a time limited session. |
API key authorization
This is the most secure authorization type and the one with the most flexibility.
Currently, we shall be generating API keys for our clients. Furthermore, API keys can have a limited scope and cover only some API methods. Lastly, they can be revoked at any time. This range of possibilities makes API keys well suited for separating the API access rights across multiple applications or use cases. Finally, the loss of an API key is easily manageable.
API key Authorization header example:
Authorization: App 003026bbc133714df1834b8638bb496e-8f4b3d9a-e931-478d-a994-28a725159ab9
Basic authorization
Basic authorization type can be used in situations when the API key is not available. For example, API methods for generating API keys should be authenticated with the Basic type.
In this case, the credentials included in the Authorization header should be a Base64 encoded username and password combination. More formally, basic authentication header can be constructed in three steps:
- Username and password are concatenated using the colon (
:) as a separatorusername:password. - The resulting string is encoded using the RFC2045-MIME variant of Base64.
- Encoded string is added as credentials after the
"Basic "type.
Example:
Username: "Aladdin"
Password: "openSesame"
Concatenated string: "Aladdin:openSesame"
Base64 encoded string: "QWxhZGRpbjpvcGVuU2VzYW1l"
Authorization header: "Basic QWxhZGRpbjpvcGVuU2VzYW1l"
Token authorization
This authorization type is suited for situations when you do not want to store Enet credentials in your own app. Instead, your users will input their Enet credentials every time they access your application and the application will use those credentials to create a session. From then on, the session token can be used to authenticate subsequent API requests. Note that the session will expire automatically after a predefined period of inactivity, and can also be manually terminated by making an appropriate API call.
After obtaining the session token by calling the above-referenced API method you can include it in the Authorization header like this:
Authorization: IBSSO 2f9b4d31-2d0d-49a8-85f0-9b862bdca394