Encryption as a Service

Admin

POST v0/user/register

Purpose Register a user from a trusted source Request
{
    appid             : "an-app-id"
    clientkey         : "a-client-key"
    username        : "A UserName"
    deviceid        : "A DeviceID"
    device-package    : "DevicePackage (base 64)"
}
Logic 1) Verify appid and client key 2) save user and device package Response
{
    userid     : "userid"
}
Errors • missing appid • missing client key • missing device id • missing device package

POST v1/user/register

Purpose Register a user from a trusted source Request
{
    appid             : "an-app-id"
    clientkey         : "a-client-key"
    username        : "A UserName"
    device-token    : "A Device Token"
}
Logic 1) Verify appid and client key 2) find device by device token 3) register the user and register the device from the temporary user to the new user 3) transfer all en/decryption keys from the temporary user to a new user Response
{
    userid     : "userid"
}
Errors • missing appid • missing client key • missing device-token

DELETE /disable/device/{device_id}

Purpose Deauthroizes a device. When the device requests developer_settings an error will return and the sdk should be wiped. Request
{
    timestamp   :   203948543,
    "signature"    :     "Base64 encoded signature of device_id"
}
Logic 1) Verify Request 2) Update device information Response
Http 200 OK
Errors • missing appid • missing server key • missing device id • invalid signature

POST v0/user/device/add

Purpose Register another device for a user Request
{
    appid             : "an-app-id"
    clientkey         : "a-client-key"
    userid            : "userid"
    deviceid        : "A DeviceID"
    device-package    : "DevicePackage (base 64)"
}
Logic 1) Verify the request 2) save device information Response Http 200 OK Errors • missing appid • invalid/missing clinetkey • missing userid • missing device id • invalid/missing device-package

POST v1/user/device/add

Purpose Register another device for a user Request
{
    appid             : "an-app-id"
    clientkey         : "a-client-key"
    userid            : "userid"
    deviceid        : "A DeviceID"
    userCert        : "User Certificate as String"
    deviceCert        : "Device Certificate as String"
}
Logic 1) Verify the request 2) save device information Response Http 200 OK Errors • missing appid • invalid/missing clinetkey • missing userid • missing device id • invalid/missing userCert • invalid/missing deviceCert  

Federated Identity (Auth)

POST /auth/start

Purpose Start a new authentication session Headers: Content-Type: application/json Body:
{
    "appid" : "string, required, your public app id",
    "serverkey" : "string, required, your secret server key",
    "username" : "string, optional, username registered with identos",
    "userid" : "string, optional, identos id returned during registration",
    "disable_push" : boolean, optional, flag to disable server sending push notification to devices for this request 
    "callback_url" : "url, optional, will be called when this authentication completes"
}
Success Response: Code: 200
{
    "id" : "string, identifies this authentication session",
    "join_otp" : "string, the user can use this otp to join this session in their auth app",
}
Error Response: Code: 400
{
    "error" : "invalid user"
}
Code: 401
{
    "error" : "invalid appid/serverkey pair"
}
Example Call: TBD Notes: • If username is present, it will override any userid • If there is no callback_url or username, the user will need the join_otp to join the Authentication Session in the App

POST :callback_url

This is how the callback url, specified during /auth/initiate, will be used. Headers: Content-Type: application/json Body:
{
    "username" : "string, identifies this autenticated user",
    "id" : "string, identifies the authentication session",
}
OR
{
    "error" : "expired",
    "id" : "string, identifies the authentication session",
}
Success Response: The server expects a 2XX type response Code: 2XX Notes: • If a 2XX response is not received the server may retry the call

POST /auth/verify

Verify a users OTP from successful authentication in their Auth App Headers: Content-Type: application/json Body:
{
    "appid" : "string, required, your public app id",
    "serverkey" : "string, required, your secret server key",
    "otp" : "string, required, otp to confirm"
}
Success Response: You must inspect the body to determine if the OTP was valid. Code: 200
{
    "username" : "string, identifies this autenticated user",
    "id" : "string, identifies the authentication session",
}
OR
{
    "error" : "unknown otp"
}
Error Response: Code: 401
{
    "error" : "invalid appid/serverkey pair"
}
Example Call: TBD