REST API Authentication

Every REST API call is required to be authenticated and there are two methods of authentications outlined below.

Authenticating with JSON Web Tokens (JWT)

 This is the preferred authentication method. 

JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties. 

JWTs provide many additional benefits over accessing the APIs with simple tokens.

• Multiple, different JWTs can be generated and active at the same time
• An individual JWT can be reset at anytime 
• Each JWT contains a specific expiration date and time 
• A JWT can be blacklisted at any time regardless of the original set expiration date and time
• Each JWT has fine grained access permissions
  • Restrict which APIs are accessible
  • Restrict which methods on the API are allowed
• Detailed API auditing by JWT

To access a REST API using JWT

1. Acquire a JWT
2. Set the x-access-token HTTP header with a valid JWT
3. Call the REST API

Authenticating with customerid and customercode Tokens (CCT)

Using the customerid and customercode tokens (CCT) is the original, although now legacy but still supported, way of authenticating the REST APIs.

While using simple tokens, similar to our CCT, are still a common authentication strategy employed by many software vendors it does have some disadvantages. Within our system, the CCT represents full administrator access to all of the REST APIs. If multiple development teams are using the same CCT auditing becomes more difficult in determining which team called which API. Reseting the CCT requires all systems to be update with the new values in order to continue accessing the REST APIs. 

To access a REST API using CCT simply requires passing valid customerid and customercode values as query parameters to any of the API URLs. 

POST vs PUT Operations