# Authentication
# Introduction
Akixi Application uses a password-based authentication mechanism. Most Akixi features are only available to authenticated Users - therefore, authentication-related steps normally precede all other API requests.
Authentication procedure consists of three operations:
Create Session
Login
Logout
# Create Session
The first step in the authentication process is to create the Akixi service session.
The user has to then authenticate the session using Basic authentication, for more details see
Login request documentation page. Once the session is authenticated, it must be used as
JSESSIONID
cookies authentication with all requests.
# Request
# HTTP Method
POST
# URL Endpoint
/session
# Parameters:
There are no query parameters.
# Body
There is no request body.
# Sample URL
https://sampleurl.akixi.com/CCS/API/v1/session
# Response
# Example Of A Successful Result With 200
HTTP Status Code:
{
"Nonce": "20d5e39b41c7016d3ec9e647ccdbac1f",
"SessionID": "D199F7ED33E35249933A20CA07387C43"
}
# Fields:
# Nonce
- type:
string
The cryptographic string that could be used only once in authentication flow.
Note
The Nonce
is not relevant in v1
API version in Basic authentication flow.
# SessionID
- type:
string
The identifier of the Akixi service user session which must subsequently be used in all requests as JSESSIONID
cookie.
# Code Snippets
See the following code snippets to help you start with the integration:
# Login
The session created using Create Session request has to be authenticated.
v1
API version supports HTTP Basic authentication to authenticate a user.
# Request
# HTTP Method
GET
# Endpoint
/login
# Parameters:
Parameter | Description |
---|---|
locale | The locale that will be used for authenticated HTTP session. The supported values are * en_GB * en_US |
# Body
There is no request body.
# Sample URL
https://sampleurl.akixi.com/CCS/API/v1/login?locale=en_GB
# Response
In case of successful authentication the 200
HTTP status code is returned with empty response body.
# Code Snippets
See the following code snippets to help you start with the integration:
# Logout
A User must be logged out in order to explicitly end the API session, which immediately frees up server-side resources and also improves security.
# Request
# HTTP Method
GET
# Endpoint
/logout
# Parameters:
There are no query parameters.
# Body
There is no request body.
# Sample URL
https://sampleurl.akixi.com/CCS/API/v1/logout
# Response
In case of successful log out action the 200
HTTP status code is returned with empty response body.
# Code Snippets
See the following code snippets to help you start with the integration:
# Security
# Recommendations On Security
Akixi User credentials must be treated as confidential & sensitive information. Therefore, developers and users working on/with REST API should carefully evaluate a password protection scheme that will provide a reasonable level of security. For example, you must avoid bad practices like storing Akixi credentials in clear text within unencrypted configuration files, key-stores, and/or database fields, especially if publicly accessible directly or indirectly. All security-related scenarios must be evaluated and tested in order to avoid security breaches caused by client-side vulnerabilities.
# Brute Force Attack Prevention
If a user authentication attempt fails due to incorrect credentials, you will get 3 attempts before the application will temporarily lock out the corresponding User account for a period of 5 seconds. Subsequent failed password attempts will double the temporary lock out period (i.e. to 10 seconds, 20 seconds, etc.).
After several failed authentication attempts, your account will be permanently disabled and you will have to refer the problem to your Application Provider in order to get that particular User account unlocked.
# Session Timeouts
Once signed in, your session can expire due to inactivity. Session inactivity timeout is 30 minutes where you will be automatically logged out if your API session remains inactive for 30 minutes or more. Although your session will naturally expire when left inactive, we strongly recommend that developers explicitly invoke the Logout request whenever the API session is no longer required.