Authentication
Server to server token¶
Authentication is done using a bearer token, set it in the Authorization header as follows:
Authorization: Bearer Token
You can use an API token for server to server communication, and you can issue a valet key for use by mobile/web clients.
Note
Please do not put your api token into an untrusted client like a mobile application!
Valet Key - shortlived token¶
For a mobile/web application, you have two options:
- Call our Access API from your backend with server to server token to issue a shortlived token that the application can use to talk to Smartscan on your behalf.
- If you have an OpenID Connect based identity provider (e.g Visma Connect), you can reuse existing authentication.
Reusing existing authentication for mobile will be beneficial both for performance and you can avoid having to do backend work. The flow used on mobile is called "PKCE for OAuth2.0" (RFC7636). We support both Access Tokens and Identity Tokens, for ease of use and quick on-boarding. Please note that this technique is not limited to Visma Connect, any OAuth / OpenID Connect provider that exposes a JSON Web Key Endpoint can be used.
Contact us on support if you would like to implement this flow.
Valet Key Request¶
You provide a sub(ject) and get back a token. The subject is optional, but highly recommended.
Shortlived token can only be used for prediction - data manipulation is disabled.
You will get back an ID and a Token which can be used as bearer token. The ID is not currently used, but we plan to support revoking tokens by ID.
You can set a custom expiration date by providing an unix timestamp in the field "exp", but it has to be less than 48 hours in the future. We only support shortlived tokens for the valet key flow. The default expiry is 8 hours.
Request¶
POST v1/access/valetkey¶
https://api.stag.ssn.visma.ai/v1/access/valetkey
Authorization - Bearer Token¶
Token: [API token]
Body - raw (json)¶
Body
{ "sub":"1234" }
Response¶
200 OK POST v1/access/valetkey¶
https://api.stag.ssn.visma.ai/v1/access/valetkey
Body - raw (json)¶
Body
{ "id": "babd92f9-6f49-44ec-a8fb-5480feb39664", "token": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJjbGllbnRfaWQiOiJ2bWwiLCJleHAiOjE3MjYxNzI3NzQsImlhdCI6MTcyNjE0Mzk3NCwiaXNzIjoic21hcnRzY2FuIiwianRpIjoiYmFiZDkyZjktNmY0OS00NGVjLWE4ZmItNTQ4MGZlYjM5NjY0Iiwic3ViIjoiMTIzNCJ9.WnT8pv7RtIhP0lZGab3o65FSF2GXuL9bh-jQ6YdnRZnRRtlxTYiaLnt8L1nd3b0b09iSaNx9SnjngzPD2UEd4A" }