Client authentication

In order to make or receive a call using Stringee API, your Client application must be authenticated. The authentication process is implemented between: Your App, Your Server and Stringee Server. It ensures the system's security (secret key is not stored on the client) and allows Your Server to block or unblock any client whenever you want.

Authentication process is described as below:

Stringee authentication

Your App sends a request to Your Server to get an access token.
Your Server generates the token (access_token) in JSON Web Tokens format (https://jwt.io/) as below:

HEADER:
    {
        "typ": "JWT",
        "alg": "HS256",// only support HS256
        "cty": "stringee-api;v=1"
    }

PAYLOAD:
    {
        "jti": "SK...-...",//JWT ID
        "iss": "SK...",//API key sid
        "exp": ...,//expiration time
        "userId": "..."
    }

VERIFY SIGNATURE:
    HMACSHA256(
        base64UrlEncode(HEADER) + "." +
        base64UrlEncode(PAYLOAD),
        apiKeySecret
    )

The values:

    iss: API key SID generated by Stringee 
    jti: the identify of the token, can be generated by: apiKeySid_timestamp
    exp: the expired time of the token (timestamps in seconds)
    userId: the identify of a user in your system
    apiKeySecret: API key secret generated by Stringee

Your App connects to Stringee Server with the access_token.
Stringee Server returns the authenticaltion result.

Sample

Checkout sample generating access_token here: https://github.com/stringeecom/server-samples/tree/master/access_token

Suggestions

Client authentication

Sample