Calling party authentication and authorization
Usually, endpoints created in Altogic require an API key for authentication. You can specify whether an endpoint requires an API key or not when creating or updating an endpoint. Please refer to Managing API keys for more details on how to create and update API keys.
Access groups are used to authorize specific endpoints of your application. When you create an endpoint, you can specify the list of access groups that are allowed to access the service exposed by the endpoint. To use authorization for your endpoints, you need to perform three basic steps.
Step #1 - Create an access group
Depending on your business needs, you can create as many access groups as you like in the App settings view. In our example below, we create two access groups, one called Sales and the other called Production.
Step #2 - Assign access groups to endpoints
After creating your access groups, now it is time to assign them to your endpoints. For example, assuming we are developing an app for a company to manage its sales and inventory, we would like to allow only people from the sales department to create and update sales records and not the production. In this case, for endpoints that create or update sales records, we can add a sales access group to them.
info
To use access groups for your endpoints, the session requirement of the endpoint needs to be enabled.
Step #3 - Assign access groups to users
In steps 1 and 2, you have completed the basic setup for authorization of endpoints. Now is the time to assign access groups to your application users. Using access groups requires a session, and the session token to be passed in the endpoint request "Session" header.
Typically when you authenticate your users, it is the right place to create user session tokens. While creating the user session, you can also provide the list of access groups the user is authorized for. In the below example, we sign in a user from the Sales organization and create a session for the user with the "sales" access group.
info
You can also design your application frontend to grant access to sales-related data to Sales organization users only. However, using access groups in the backend ensures that only authorized users can execute the services assigned to their access group.