Skip to main content

Uniphore Customer Portal

Access Control for APIs

Access control is the process of granting your users permission to access certain systems, resources or information. This is commonly known as Authentication and authorization. U-Assist allows you to limit access to specific APIs for various users. This helps prevent unauthorized access to sensitive data. All the public APIs use authorization to ensure that client requests access data securely. Also, the APIs are to be authenticated with Auth0 provided access_token which can either be a user token or a service token (M2M token).

Authentication

API authentication is the process by which the API server can validate the identity of the requesting client. This is done through the use of an authentication protocol. The protocol will send the credentials from the client to the API server which makes the determination of whether to allow access to the client.

Authorization

APIs use authorization to ensure that client requests access data securely.

Authenticate APIs

All APIs are to be authenticated with an Auth0 provided access_token which can either be a user token or a M2M token.

Requests from the UI and ad-hoc requests

All requests made by the U-Assist Aftercall UI will carry a user token. This token will be authenticated at the gateway service and authorized at the individual service level. The token is collected by the UI and provided as part of every request that is made.

Requests from one service to another

Service-to-service requests cannot carry a user token, since the entity making the request is not a user. In this scenario, user can create a client_token from Auth0, which uses the credentials of the service client which are created in Auth0. These requests are authenticated at the service level, but not authorized, since the service client lies outside the boundaries of a regular user.

Implementation

Each service has a scheduled task running which will keep an up to date service token by pulling from Auth0, ensuring that the next token is pulled before the current one expires. Then this token will be provided to outbound service requests.

In this section: