Authentication & Authorization

Auth Overview

The Sway Charts REST API supports two auth methods:

• Basic authentication - the simplest authentication type best suited for a simple B2C integration when security requirements are not high. It also consumes fewer resources on the server and client side.

• HMAC authentication - most suitable for large B2B integrations with high security demands. It provides a digital signature for each request that guarantees that the request hasn't been tampered with.

The Sway Charts REST API basic authentication should not be mistaken for standard HTTP Basic Authentication; these are different.

Due to stateless nature of REST API, there is no strict notion of a user "session". Each request may be treated as a separate session, especially in case of HMAC Authentication when there is no separate "login" phase. That's why the system treats user sessions differently depending on the authentication type:

• Basic authentication – client is considered logged in from the moment the "login" request completes successfully until any of the following events occur:

  • "Logout" is requested explicitly by the client or by the platform itself

  • More than a predefined timeout passes since the last request to the API

• HMAC authentication – client is considered logged in from the moment of any first request until a predefined timeout passes since last request.