Secure API Access to the Authentiq8 Me Platform
This document explains how to integrate Authentiq8 Me as an authentication method in your bespoke app/website, you will have complete control and can trigger the Authentiq8 Me API for multiple calls, with defined security for different operations.
Eliminate password-based vulnerabilities and reduce the risk of phishing, credential stuffing, and account takeovers.
Authentiq8 Me allows secure, passwordless authentication for your users using digital signatures and push notifications. This guide explains how to integrate with the Authentiq8 Me API using RSA key pairs. There are 3 basic steps in order to be able to Authentiq8 Me your users:
User should download and register the Authentiq8Me App
Register your business on the https://authentiq8.me website
Authentiq8 Me an action (Login / Payment / Password Reset)
Authentiq8 Me uses RSA digital signatures for security. Security doesn’t come from obscurity, but from cryptographic keys.
Supported key lengths: 2048 - 4096 bits RSA.
subj="/C=GB/ST=London/L=Remote/O=My Organisation/OU=My Unit/CN=My Name/emailAddress=agent@myorg.com"
openssl req -x509 -newkey rsa:4096 -keyout mycert.key -out mycert.pem -nodes -subj "$subj"We can generate an RSA-4096 keypair for you inside the Authentiq8 Me portal, on the API keys page click "Generate Random Key".
All API requests should be sent to the following End Point:
https://api.authentiq8.me/index.phpAll requests are signed with your RSA private key. Algorithm: SHA-256. The signature is hex encoded.
<?php
//get private key
$strPrivateKey = file_get_contents("/path-to-key/private-key.key");
//create binary signature
openssl_sign($jsonMessage, $binarySignature, $strPrivateKey, OPENSSL_ALGO_SHA256);
//convert to hex and store the result in $strSignature
$strSignature = bin2hex($binarySignature);
?>All API requests require the following headers:
List of all available API calls, select any API and try in our test framework.
| txn_type | Description |
|---|---|
| ping | Check communications are working |
| authenticate | Send authentication request to customer device |
| check-user-devices | Check for deleted device-id |
| disconnect-user | Disconnect the user from your client. For security and general housekeeping: when you no longer have a connection to a user it's good practice to remove the connection on the user device also. |
| get-credits | Get number of credits on your pre-paid account in order to not run out |
| get-qr-code | Get a QR Code in order to enrole new user for authenticator |
| get-user-status | Poll this API to determine if the QR code has been used. This is an alternative to using the notification/webhook. Do not request more than once per second per user-id. |
Example php integration for ping:
<?php
//set up the body as an array
$arrMessage=array();
$arrMessage['message']='World';
//convert the body array into JSON
$jsonMessage = json_encode($arrMessage);
//set up the headers
$arrHeaders = array(
'Content-Type: application/json',
'ClientId: 18cfe20b-7fb8-c27d-d1ee-f127c71e11b7',
'TransactionID: uniqueID1',
'ClientIP: 127.0.0.1',
'DigitalSignature: 0f0310baacf122106e3ab0c5b80fc044c19...'
);
//Now send the message using cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_POSTFIELDS, $jsonMessage);
curl_setopt($ch, CURLOPT_HTTPHEADER, $arrHeaders);
curl_setopt($ch, CURLOPT_URL, 'https://api.authentiq8.me/index.php');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_HEADER, 1);
//the response JSON plus all the response headers are now in the string $jsonResponse
$jsonResponse = curl_exec($ch);
?>Successful Response:
{
"message": "Hello World",
"rsp_msg": "success",
"rsp_code": "0000",
"transaction_id": "uniqueID1"
}All API calls will respond with a rsp_code, you can check the table below to identify description of specific response codes.