Authentication

Authentication keys

When making a request to the AzoraOne API you will need two authentication keys, a client key and a subscription key.

  • The client key is specific to the API and will be the same for all users with access to the API.

  • The subscription key is specific to the subscription (the connection between a user and an API) and will be different between users.

How to acquire authentication keys

You will need to create a developer account in order to receive your authentication keys.

  1. Create a developer account

  2. Subscribe to the product you wish to access

  3. The client key can now be found in the API explorer.

  4. The subscription key can now be found in the API explorer and the profile page.

When exploring the AzoraOne Sandbox API the client key will be available to all guests and developers. The subscription key still needs to be generated by creating a developer account and subscribing to the AzoraOne Sandbox product. You can explore the Sandbox API free of change.

How to use authentication keys

You will need to provide a valid client key and a valid subscription key in the header of each request made to the AzoraOne API.

  • Add the client key to a header named Client-Key

  • Add the subscription key to a header named Ocp-Apim-Subscription-Key

GET https://api.azora.one/{api}/{version}/companies

Client-Key: **********************
Ocp-Apim-Subscription-Key: ********************************

How to keep your authentication keys secure

Your authentication keys should be treated as secrets. Exposing your credentials can result in your data being accessed or compromised.

To keep your authentication keys secure, follow these best practices.

  • Do not embed authentication keys directly in the source code
    Authentication keys that are embedded in code or the source tree can be accidentally exposed if someone gains access to your repositories. Instead, store authentication keys in environment variables or in files outside of your source code.

  • Use your authentication keys only where needed
    By restricting the number of servers and/or applications that has access to the authentication keys you can minimize the number of compromising sources. You can also more easily regenerate and replace a compromised authentication key.

  • Regenerate your subscription keys periodically or if compromised
    You can regenerate your subscription keys if you think they might have been compromised, or simply as a precaution from future attacks.

  • Delete unneeded subscription keys
    To minimize the risk of someone gaining access to an older subscription key, delete any authentication keys that you no longer need.

How to regenerate subscription keys

On your profile page can find two subscription keys, a primary and a secondary, for every product you subscribe to. Having two subscription keys allow you to do "rolling updates" where, if one key is exposed and needs to be regenerated the other key can still be used in the meantime. This allows you to use the secondary key to keep your application running while regenerating the primary key and vice versa.

You can also use a secondary subscription key to grant another party temporary access and later revoke their access by regenerating the key.