When calling the REST API web services, the client must include Flowbird’s issued certificate and the associated private key in the secured HTTPS connection phase (depending on the connection library used).
This procedure is used to:
•Identify the client on the system
•Ensure that the communication with the client is trusted (encryption and signature)
Once the connection is approved at the entrance point of the Flowbird system,
1.The client certificate is forwarded to an identity server to retrieve the client account and rights
2.A security token is generated that includes the information to be used internally in the Flowbird system
3.The API call issued by the client is then forwarded to the target application, with this security token
This token is a signed JWT and is sent back to the client in the API call response in the Authorization header.
During the validity lifetime of the token, the token SHOULD be sent back in the following API calls, to prevent the server from performing the authentication phase again, and to ensure a faster response time.
