Authorisation modes explained (token, PPK and OAuth)
There are three security mechanisms for using the web services. You can use any of these.
Token
So we can identify which organisation is using the web services, a token is issued to each organisation. The token can be exposed to any web service request, for example in a /data request. The token is the same for all requests made. It is important that you do not share the token outside your organisation.
You can Request a token.
Public/private key
If you need to share requests for data and other web services with people outside your organisation (including in web page code that can be viewed) you should use an application key. A key is issued to each organisation. The key is used in conjunction with a secret (a bit like a password) to sign each URL. The combination of key and secret is used to generate a token that is appended to a web service call and is unique to that call.
You can Request a key
OAuth access
OAuth is the open standard for authorisation.
esd has a sign-in mechanism that uses OAuth so any developer can implement sign-in in the same way as LG Inform and LG Inform Plus. If your application uses OAuth sign-in, you can give signed-in users access (via the web services) to data personal to them and non-public data that their organisation might be permitted to use.
To prevent security issues when handling redirects from the OAuth process, please don't allow redirection to other domains that you do not control.
Note that OAuth calls are linked to people's sign-ins and they expire when the sign-in expires - usually on the next day.