Skip to main content

Authentication

The image shows the journey from the end user to the MSL Edge API.

Client authentication flow

MSL Edge is to whitelist the client partner public IP address/range to allow access to the platform.

Client Credentials

Use the provided username and password for the token request as documented here. If the criteria for a valid username, password and IP address are satisfied the API returns a token.

Authorization Header

Once the API returns a token, the next step is to use it for subsequent API requests. The example shows the Authorization header and the value that must be provided to have an API authorization on an endpoint.

On receiving the token, the platform initiate the validation. It is to ensure requests are from allowed IP addresses and the token is valid.

Password expiry

Important: One of the properties in the token payload is password_expire_days. This indicates the number of days till the password associated with the account expires. Ensure that the password is changed before expiry, else requests will be rejected and the endpoint will start returning status code 401 error code 4010001. To change the password, a POST request to endpoint /manage/password should be made. The functionality also checks if the new password provided have already been used or not by the intended user. If it has been used in the past, the endpoint will return status code 401 error code 4010001.

As one might have noticed, status code 401 error code 4010001 is used multiple times in the authentication process. This is intended to ensure that no usernames and/or passwords are exposed to unauthorized users. If this error is encountered and not sure why, please contact the support team for more assistance.

IP Whitelising

When a request to generate a new token is received, the IP from where the request originated is also recorded and used in the token generation. When credentials for making requests to the APIs are being created, a number of IPs or IPv4 ranges are to be provided in order for generation of tokens to be successful. When a request is received, the IP of the request is checked against the IPs or IPv4 ranges provided, and if there is a match, a token is generated accordingly.

Suspicious IPs

Although an IP is whitelisted to authenticate and retrieve tokens, it doesn't mean that its also whitelisted from the Suspicious IPs security feature enabled. If a burst of 20 or more requests to retrieve a token are made in a very short period of time, the IP will immediately be flagged and blocked for a period of approximately 15 minutes. If during these 15 minutes more tokens will be requested, error code 4010001 will be returned to not disclose the status of the credentials provided.