Authentication with Access Token
Anedya uses signature-based authentication for access tokens to keep your user's data secure. The Access Token has two components: TOKEN_ID and TOKEN_SECRET.
Anedya uses a Signature-based authentication mechanism to authenticate the requests.
Anedya Signature v1
Signature-based authentication improves security as TOKEN_SECRET never leaves the client. Also, it provides protection against data access by replaying a request made earlier as each request has a maximum validity of 15 minutes, after which the signature needs to be regenerated. Each request must contain the following headers:
| Header | Description |
|---|---|
Authorization | When using Token based authentication, this header must be set to ANEDYASIGV1 |
x-anedya-SignatureVersion | Version of the signature algorithm used. Valid values: v1 |
x-anedya-Signature | Signature computed for the request |
x-anedya-timestamp | Unix Timestamp (in UTC) which is used to generate signature. Anedya allows timestamps within 15 minutes. |
x-anedya-TokenId | Token ID |
When using Access Tokens, the token secret is never sent with the request to improve security. The secret is used to derive a unique signature which is provided in the request header.
The signature is generated using the following algorithm:
Signature = SHA256(
SHA256(request-body-bytes) +
timestamp bytes as BigEndian int64 +
signatureVersion utf8 string as bytes +
TOKEN_SECRET utf8 string as bytes)