Access Control

The API is secured. To gain access, you need to supply authentication information in the headers of the request.

Every request must have at least 2 HTTP headers included. These are your access control headers. The header names are Consumer-Identifier and Consumer-Secret-Key. The values to use for these headers will be assigned to you. This is the same thing as a password and must be safeguarded. They should be kept in a secure place, preferabley encrypted. They should never be transmitted in clear text. At any time you may request your secret key to be changed. Once a new secret key is generated the old one will never work again and should be discarded.

User Authentication Token

Some APIs require authentation information for specific users of SMG's systems. In the documentation on this site, these APIs will be marked as such: . Clicking that indicator will bring you back to this page.

To access these APIs you need to also include a third header with the request: User-Authentication-Token. To get the value for this header you must first validate a user's credentials. Use this API to do that: POST Users/ValidateCredentials

Once you've validated the user's credentials you will have an Authentication Token. It will be valid for an amount of time so you only need to do it once and then cache the token. This is the user's identity and as such should be kept secret. When the token expires the API will respond with a 400 and the string User-Authentication-Token in the response message. This is your indicator that you need to validate the user's credentials again to get a new Authentication Token.