Pre-Shared Key Authentication Method
This document outlines how to access the Armor API system using the Pre-Shared Key (PSK) authentication method. This method applies to all Armor API's.
Create an API key in AMP, and then authenticate through the command line
You can use the API tokenization feature in the Armor Management Portal (AMP) to create an API key. This key will help you log into the Armor API system.
After you create a key, you can use a GET request to log into the Armor API system.
Before you begin:
If you access the Armor API system through an AMP-generated API Key, then you will not be able to access the following endpoints:
GET /users/{id}/keys
DELETE /users/{id}/keys/{key}
POST /users/{id}/keys
GET /users/{id:int}/ActivationCode
POST /users/resetpassword
POST /users/setpassword
PUT /users/{id:int}
POST /users/status
POST /users/
POST /users/{userId:int}/invite
GET /users/LockedOut/{accountId}/{email}
POST /users/unlock/{accountId}/{email}
DELETE /users/softDelete
PUT /usersecurity/challengephrase
GET /usersecurity/securityinformation/{referencekey}
POST /usersecurity/securityinformation/{referencekey}
POST /usersecurity/securityinformation/existing/{referencekey}
GET /usersecurity/challengephrase/{userId}
POST /usersecurity/validatemfaphone
POST /usersecurity/securityinformation/{accountId}/{userId}
POST /usersecurity/validatephoneapppin
At a high-level, to authenticate into the Armor API system with your API token, you must create a header with the following information:
ARMOR-PSK {Private Key ID}:{HMACSHA512 Signature}:{Nonce}:{Timestamp}
Review the following sample authentication header:
ARMOR-PSK 20a37099-4a0b-432f-bf46-5fa690a0405c:8wliK5PMXBrMNQX0DmXkkpC2YD5j+QtPH2xVRZM7jaaS0hC6jhRmtxy+nKJidDnYTpFc6blsO7+4VfKqslbqzA==:1528140529:1528140529Note: The nonce value (1528140529) must equal the timestamp value (1528140529).
Authentication Component | Description | Example |
|---|---|---|
Authorization Type | Use ARMOR-PSK. | ARMOR-PSK |
API Key ID | Use the Key ID generated in AMP. | 20a37099-4a0b-432f-bf46-5fa690a0405c |
HMAC signature | Create an HMAC-SHA512 signature from the concatenation of: api_key_id + httpMethod + requestPath + nonce + timestamp + body_hash. Use the Secret Key (from AMP) as the HMAC key. The signature must be base64-encoded. See Signature Computation and Body Hash sections below. | 8wliK5PMXBrMNQX0DmXkkpC2YD5j+QtPH2xVRZM7jaaS0hC6jhRmtxy+nKJidDnYTpFc6blsO7+4VfKqslbqzA== |
Nonce | Must equal the timestamp value (same value, in seconds). Because nonce equals timestamp, only one request per second can be made per API key. | 1528140529 |
Timestamp | Enter a Unix time stamp within 5 minutes of current time. | 1528140529 |
Signature Computation
The HMAC-SHA512 signature is computed from a concatenated string of request parameters (no separators between values):
signature_data = {api_key_id} + {http_method} + {request_path} + {nonce} + {timestamp} + {body_hash}
signature = base64(hmac_sha512(signature_data, secret_key))Important: The secret_key must be used directly as a UTF-8 encoded string when computing the HMAC. Do not base64-decode the secret key before using it as the HMAC key.
Body Hash Computation
For requests with a body (POST, PUT, PATCH):
body_hash = base64(sha512(request_body))For requests without a body (GET, DELETE):
body_hash = ""Required Headers
Header | Description | Example |
|---|---|---|
Authorization | ARMOR-PSK authentication header | ARMOR-PSK {key_id}:{signature}:{nonce}:{timestamp} |
X-Account-Context | The account ID context for the request | 12345 |
Content-Type | application/json for requests with a body | application/json |
Rate Limit
Because the nonce must equal the timestamp (in seconds), only one request per second is allowed per API key. Requests that reuse a nonce/timestamp pair will be rejected. If you need higher throughput, use multiple API keys.
Based on your API application, review the following documents for additional authentication information:
To review the API calls, as well as implement the calls, access the interactive Armor API tool at https://developer.armor.com/.
Troubleshooting
If you cannot create or access the API Keys screen, consider that:
You may not have permissions to use this feature.
You must have the following permissions enabled:
API Keys All Read
API Keys All Delete
API Keys Self Manage
To learn how to update your permissions, see Roles and Permissions.
Before you begin:
The base URL is https://api.armor.com.
This endpoint requires TLS 1.2+.
The API uses standard OAuth authentication.
If you intend to use your account as an API service account, please contact Armor Support to update the MFA setting on the account.
If your Armor Management Portal (AMP) account requires multi-factor authentication (MFA), you should configure your HTTP client to have a timeout that allows sufficient time to enter the MFA response.
To access the API, you must first authenticate. Enter the login information for the Armor Management Portal (AMP). Review the following example.
CODEPOST /auth/authorize { "username": "[email protected]", "password": "password123%^&" }If the authentication is successful, you will receive the authorization code (code). Review the following example.
CODE{ "redirect_uri": null, "code": "<<base64-hash>>", "success": true }Redeem the authorization code (code) to retrieve the access token. You must redeem this code within two minutes of the previous request. Review the following example.
CODEPOST /auth/token { "code":"<<base64-hash>>", "grant_type":"authorization_code" }If the request is successful, you will receive the access token (access_token). Review the following example.
CODE{ "access_token": "<<32-bit-uuid>>", "id_token": "<<base64-hash>>", "expires_in": 15, "token_type": "Bearer" }Enter the access token (access_token) to complete the authentication process. Review the following example.
CODEAuthorization: FH-AUTH <<access_token>>(Optional) The access token expires every 15 minutes. If you want to extend the session, then you can request a new access token before the current access token expires. In this example, you do not need to authenticate again with the new access token. Review the following example.
CODEPOST /auth/token/reissue { "token": "<<32-bit-uuid>>" }(Optional) If the request is successful, you will receive the previous access token without the ID token. Review the following example.
CODE{ "access_token": "<<32-bit-uuid>>", "id_token": null, "expires_in": 15, "token_type": "Bearer" }(Optional) If you have multiple accounts in AMP, you may want to specify the account to configure. Enter the integer for the account ID. Review the following example.
CODEX-Account-Context: <<int>>
There are two ways to retrieve your account ID:
Via the command line:
In the command line, enter the GET /me command.
Via AMP:
Access the Armor Management Portal (AMP).
On the left-side navigation, click Account.
Copy the number in Account Number.
In the command line, for X-Account-Context, enter the Account Number.
When you create an API Key, you will generate a Secret Key. This key does not expire; you must securely store this key because Armor cannot retrieve this key for you.
If you lose the Secret Key, then you must delete the corresponding API Key in AMP. Afterwards, you must create a new API Key.
Armor cannot retrieve your Secret Key.
In the Armor Management Portal (AMP), in the left-side navigation, click Account.
Click Users.
Click API Keys.
Click the plus icon.
Enter a descriptive name, and then click Create Key.
Copy the Key ID and Secret Key.
Click Close.
The API Keys table will display a new entry.