Security
The security of access to the API is ensured by a robust authentication mechanism. All authenticated requests must include an access token (access_token) to ensure that only authorized entities can access resources and perform operations. Additionally, protection measures against replay attacks are implemented using specific headers for each authenticated request.
Access token
To authenticate a user, API calls must include the Authorization header in the following format:
Authorization: Bearer <access_token>
The access token (access_token) is obtained through the authentication endpoints and must be regularly renewed to maintain a high level of security.
Protection Against Replay Attacks
To prevent a request from being replayed by an attacker, authenticated requests must include the following headers:
-
X-NONCE: A randomly generated UUID v4 for each request. -
X-FINGERPRINT: The unique identifier of the device used to generate theaccess_token. This identifier must remain constant between authentication requests and other API requests.