Trusted device registration
Trusted devices are SAFEQ Cloud clients which are required to be authorized by SAFEQ Cloud administrator before they can perform certain API calls. The API key setting Allow untrusted endpoints
controls whether client using this API key is required to be in a trust relationship with SAFEQ Cloud server. If this option is disabled (which is the default) the client must obtain a device token before calling authentication functions of the public API.
This device token must be then provided to the /login
API call as Authorization: Bearer <token>
header.
Trusted connection ensures for example that password-less authentication (card ID or short ID) can only be used from the trusted devices.
Trusted devices functions are available at /oauth/v1
base endpoint on HTTPS port 7400. All requests must be sent as HTTP GET query with URL-encoded parameters. All responses are JSON objects. In case of an error the Error
JSON object is returned which has the following structure:
{
"error": "error_code",
"error_description": "textual error description"
}
Some functions require HCP-Request-Signature header to be present which holds a signature of the query parameter string.
For GET requests, that is the url-encoded string after the ?
sign in the query path. For example for the query /path?param1=value2¶m2=value2
the signature must be provided for param1=value2¶m2=value2
string.
For POST requests, that is the request body.
Signature algorithm depends on the key_type
parameter provided to the /register
call. Signature must be wrapped into base64 encoding.