How does the authentication work?

Susan Genoray

How does the authentication work?

kamil.cisewski

Hello @Susan Genoray, the API uses a form of
digital signature to handle authentication (specifically, HMAC-SHA256 wrapped
in a HTTP signature within the "Authorization" header). An API client
will receive a secret key from WC1, and will use this key to sign every request
they send through to the API. When WC1 receives an API request, it will try to
recompute the digital signature for the given user, and will only process the
request if the signatures match. This signature is also used to validate that
the contents of the API requests are not tampered with, in that their full
contents form part of the data that is used to compute the signature.