API authentication
- Kiss, Mate
- Hina Kouser
- Gabor Moczar (Unlicensed)
- Daniel Balog
In order to access the services of the API, external applications have to authenticate themselves. As a part of the authentication process, the system only accepts requests which contain a pre-generated API key. The system supports an unlimited number of API keys, which can be issued through the web interface.
API key administration
An API key identifies an application that is intended to use the Verba Business API. The API key administration is available on the web-based user interface of the system. In order to access the configuration, please navigate to Administration / API Keys.
Each application should have its own API key so that it can be configured separately.
In a multi-tenant system, each API Key is associated with a specific environment. Each API user must use an API key that has been issued by a suitably privileged account within their own environment.
API key parameters
You can configure the API keys on the web interface of the Verba Recording System if you have the API Keys permission.
Field | Description | Requirements |
|---|---|---|
API Key | Random generated, unique GUID. | - |
Name | Name of the API key. | Required field |
Network Restrictions | For each API key, the system can restrict access to the API for a certain set of network addresses. This optional parameter contains a list of IP addresses and/or hostnames. | - |
User account-based authentication
For better security, the external application has to provide user credentials in order to access the API.
Each security token's lifetime is 1 hour. The timezone of the results will match the user time zone if user authentication is required for the API key. Unauthenticated API calls will return times in GMT.
Request token
The external application sends an authentication request via HTTP GET or POST and provides the login and password in a Basic Authorization header:
GET /verba/api?action=RequestToken&apiKey=74c8eea0-50c6-40b2-9f3e-252ed501c3c8 HTTP/1.1
Connection: keep-alive
Cache-Control: max-age=0
Authorization: Basic bXlhcGl1c2VyOnBhJCR3b3Jk
The Authorization header starts with the "Basic" string, followed by a space character, then the Base64 encoded form of the login and password separated by a colon, in the above example the "myapiuser:pa$$word" was sent in the Base64 encoded format.
Alternatively, the login and password can be sent in the userName and password HTTP parameters too. It is important that the MD5 format is no longer supported, the password has to be sent in clear text format, so this type of authentication is strongly discouraged for GET requests.
Detailed description of the API request elements:
API request element | Description | Requirements |
|---|---|---|
/verba/api | Verba Business API HTTP URL. | Mandatory |
action=RequestToken | Name of the HTTP API request. | Mandatory |
apiKey=74c8eea0-50c6-40b2-9f3e-252ed501c3c8 | API key used to identify the application. | Mandatory |
Authorization: Basic bXlhcGl1c2VyOnBhJCR3b3Jk | The Basic Authorization header with the Base64-encoded login:password string. The provided user has to have System Administrator and System Supervisor roles. | Mandatory |
userName=myapiuser | If Basic Authorization is not supported by the client, then the Login ID of the user. | Mandatory |
password=pa%24%24word | If Basic Authorization is not supported by the client, then the Password of the user (the "pa$$word" string in URL-Encoded format) | Mandatory |
Response
On success, the API responds with the followings:
<?xml version="1.0" encoding="UTF-8"?>
<VerbaApi>
<Response code="0" type="RequestToken" token="09835e02-6c10-11e0-bb22-ba324924019b"/>
</VerbaApi>