API Authentication
The platform provides an open API interface; users can realize device management, data query, device command interaction etc. through invoking HTTP/HTTPS, and build the upper layer application according to their individualized requirement on the basis of API.
API Authentication
In order to improve API access safety, the authorization parameter of OneNET API exists as header parameter.
OneNET supports two authorization modes, namely, common authorization and safe authorization; their comparisons are provided in the table below:
| Normal | Secure (recommended) | |
|---|---|---|
| Core key | apiKey | accessKey |
| header parameter name | "api-key" | "Authorization" |
| header parameter value | apiKey (direct transmission key) | The token composed of the parameter group, containing no key |
| Access time control | Not Supported | Support (access time is controlled by the parameters in the parameter group)) |
| Custom permission | Not Supported | Support (available in the near future) |
| Core key update | Not Supported | Support (available in the near future) |
| HTTPS | Supported | Supported |
| Security | Low | High |
| 1 The common authorization |
The common authorization mode takes apiKey as the authorization key. apiKey has two access levels:Master and device
| **Product level** | **Device level** | |
|---|---|---|
| Quantity | Unique under the product | More than one under the product |
| Scope of permission | Manipulation of all resources of the product includes: Device, data flow, data point, trigger, document, command and device apiKey | Complement operation of part devices, including device details, device data flow, device data point |
| Custom permission | Not Supported | Support the device level. Users need to correlate apiKey with the device; once they are correlated, it has the maximum permission of the device. |
call example
(taking "API for retrieving device details" as an example)
GET /devices/3532392
api-key: WhI3aidfa82SUBD34h123hv1c=
| 2 Safe authorization |
In safe authorization, accessKey is used as the core key. Users need to use the core key to calculate the signature through the signature algorithm, and form the token with other parameters, and then take token as the Header parameter for authorization.
Without direct transmission of the core key in the network during security authentication, the security of authentication can be enhanced by improving the time control of authentication parameters and adding the key permission granularity control (available in the near future), thus maximizing the access security.
See the security authentication chapter for details
call example
(taking "API for retrieving device details" as an example)
GET /devices/3532392
Authorization: version=2018-10-31&res=products%2F123123&et=1537255523&method=sha1&sign=ZjA1NzZlMmMxYzIOTg3MjBzNjYTI2MjA4Yw%3D