Tutorial App: API Builder > Advanced Authentication Guide

Advanced Authentication Guide

"API Key" as the API authentication method alone is generally considered not secure.

Often for production environments (or any of your preferred environments), it is recommended to use more secure methods to authenticate API access.

To do so in Joget's API Builder plugin is really easy!

In the "Manage API Key" menu, other than "API Key", you can also select these methods:

API Key & Token
Basic access authentication

Not only that, you can also develop custom API Authenticator plugins either to add additional authentication or even replace the default authentication methods as a whole.

Note: For ALL authentication methods and even with the use of a custom API Authenticator plugin, the API Key is always required.

API Key & Token:

Upon selecting this auth method, you are presented with 2 additional fields:

API Secret
Token Pattern

The API secret can be any string of your choice.
The token pattern consists of a hash algorithm and variables, and can be configured to your preferred pattern. Its format is as such:

HASH(PATTERN)

The API Secret & Token Pattern to be used in this example respectively is:

myverysecretkey
SHA-256({api_key}::{api_secret})

Now that we have setup an API access using this auth method, API calls using this access now requires an additional field in the request header, which is:

token

To authenticate, we need to derive the token value as per the configured pattern.
The equation would look like this:

SHA-256(4b1763692be64ed898e803c18c4a5da7::myverysecretkey)

And its derived value will be: ed4c66fbdff9f807fa34d45295f2ab2eda066adaacf8dc6fac71662a50fadafd

Now with the information above, this is how it looks like in Postman:

Basic Access Authentication:

Upon selecting this auth method, you are presented with an additional field:

Permission Plugin

Here you can find all the permission plugins that is available in Joget to control API access.
See all available permission plugins here: https://dev.joget.org/community/display/DX7/Permission+Control

The permission plugin used in this example is "Is Admin".
Depending on the chosen plugin, some plugins may require configuration. If this is the case, click on "Configure Plugin" and configure the permission plugin as usual.

Now that we have setup an API access using this auth method, API calls using this access now requires an additional field in the request header, which is:

Authorization

To authenticate, we need to derive the authorization value.
The value is base64 encoded from the user's username and password in such a formula:

"Basic" base64(username:password)

Hence, the equation with the default 'admin' credential would look like this:

"Basic" base64(admin:admin)

And its derived value will be: Basic YWRtaW46YWRtaW4=

Now with the information above, this is how it looks like in Postman:

Reference:

https://dev.joget.org/community/display/marketplace/Manage+API+Key+Menu#ManageAPIKeyMenu-ConfigureAPIAccess