Hello @Susan Genoray, the API uses a form ofdigital signature to handle authentication (specifically, HMAC-SHA256 wrappedin a HTTP signature within the "Authorization" header). An API clientwill receive a secret key from WC1, and will use this key to sign every requestthey send through to the API. When WC1 receives an API request, it will try torecompute the digital signature for the given user, and will only process therequest if the signatures match. This signature is also used to validate thatthe contents of the API requests are not tampered with, in that their fullcontents form part of the data that is used to compute the signature.
